See on RubyGems

google-protobuf 3.19.1

2 security vulnerabilities found in version 3.19.1

A potential Denial of Service issue in protobuf-java

high severity CVE-2021-22569
high severity CVE-2021-22569
Patched versions: >= 3.19.2

Summary

A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.

Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected.

Severity

High - An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.

Proof of Concept

For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.

Remediation and Mitigation

Please update to the latest available versions of the following packages:

  • protobuf-java (3.16.1, 3.18.2, 3.19.2)
  • protobuf-kotlin (3.18.2, 3.19.2)
  • google-protobuf [JRuby gem only] (3.19.2)

protobuf-java has a potential Denial of Service issue

medium severity CVE-2022-3171
medium severity CVE-2022-3171
Patched versions: ~> 3.16.3, ~> 3.19.6, ~> 3.20.3, >= 3.21.7

Summary

A potential Denial of Service issue in protobuf-java core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

Reporter: OSS Fuzz

Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.

Severity

CVE-2022-3171 Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)

Remediation and Mitigation

Please update to the latest available versions of the following packages:

  • protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)
  • protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
  • protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)
  • protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
  • google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)

No officially reported memory leakage issues detected.

This gem version does not have any officially reported memory leaked issues.

No license issues detected.

This gem version has a license in the gemspec.

This gem version is available.

This gem version has not been yanked and is still available for usage.