RubySecRUBY:GOOGLE-PROTOBUF-2022-3171protobuf-java has a potential Denial of Service issue
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
32.6%
Summary
A potential Denial of Service issue in protobuf-java core and lite was
discovered in the parsing procedure for binary and text format data.
Input streams containing multiple instances of non-repeated embedded
messages
with repeated or unknown fields causes objects to be converted back-n-forth
between mutable and immutable forms, resulting in potentially long garbage
collection pauses.
Reporter: OSS Fuzz
Affected versions: This issue affects both the Java full and lite Protobuf
runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the
Java Protobuf runtime.
Severity
CVE-2022-3171
Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)
Remediation and Mitigation
Please update to the latest available versions of the following packages:
- protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)
- protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
- protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)
- protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
- google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
32.6%