-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2022-3171.yml
51 lines (44 loc) · 1.98 KB
/
CVE-2022-3171.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
---
gem: google-protobuf
platform: jruby
cve: 2022-3171
ghsa: h4h5-3hr4-j3g2
url: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
title: protobuf-java has a potential Denial of Service issue
date: 2022-10-04
description: |
## Summary
A potential Denial of Service issue in `protobuf-java` core and lite was
discovered in the parsing procedure for binary and text format data.
Input streams containing multiple instances of non-repeated [embedded
messages](http://developers.google.com/protocol-buffers/docs/encoding#embedded)
with repeated or unknown fields causes objects to be converted back-n-forth
between mutable and immutable forms, resulting in potentially long garbage
collection pauses.
Reporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771)
Affected versions: This issue affects both the Java full and lite Protobuf
runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the
Java Protobuf runtime.
## Severity
[CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171)
Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)
## Remediation and Mitigation
Please update to the latest available versions of the following packages:
* protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)
* protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
* protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)
* protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
* google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)
cvss_v3: 5.7
patched_versions:
- "~> 3.16.3"
- "~> 3.19.6"
- "~> 3.20.3"
- ">= 3.21.7"
related:
url:
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771
- https://github.com/protocolbuffers/protobuf/releases/tag/v21.7
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3