google-protobuf 3.7.0.rc.2-universal-darwin
A potential Denial of Service issue in protobuf-java
high severity CVE-2021-22569>= 3.19.2
Summary
A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.
Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected.
Severity
High - An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.
Proof of Concept
For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.
Remediation and Mitigation
Please update to the latest available versions of the following packages:
- protobuf-java (3.16.1, 3.18.2, 3.19.2)
- protobuf-kotlin (3.18.2, 3.19.2)
- google-protobuf [JRuby gem only] (3.19.2)
protobuf-java has a potential Denial of Service issue
medium severity CVE-2022-3171~> 3.16.3
, ~> 3.19.6
, ~> 3.20.3
, >= 3.21.7
Summary
A potential Denial of Service issue in protobuf-java
core and lite was
discovered in the parsing procedure for binary and text format data.
Input streams containing multiple instances of non-repeated embedded
messages
with repeated or unknown fields causes objects to be converted back-n-forth
between mutable and immutable forms, resulting in potentially long garbage
collection pauses.
Reporter: OSS Fuzz
Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.
Severity
CVE-2022-3171 Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)
Remediation and Mitigation
Please update to the latest available versions of the following packages:
- protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)
- protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
- protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)
- protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
- google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.