CVE-2021-22569

Description

## Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. Reporter: [OSS-Fuzz](https://github.com/google/oss-fuzz) Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected. ## Severity [CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) **High** - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses. ## Proof of Concept For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness. ## Remediation and Mitigation Please update to the latest available versions of the following packages: - protobuf-java (3.16.1, 3.18.2, 3.19.2) - protobuf-kotlin (3.18.2, 3.19.2) - google-protobuf [JRuby gem only] (3.19.2)

Affected packages (5)

• Debian/protobuffrom 0, < 3.12.4-1+deb11u1
• Debian/protobuffrom 0, < 3.6.1.3-2+deb10u1
• Maven/com.google.protobuf:protobuf-javafrom 0, < 3.16.1
• Maven/com.google.protobuf:protobuf-kotlin>= 3.18.0, < 3.18.2
• RubyGems/google-protobuffrom 0, < 3.19.2

CVSS scores

References (9)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-22569
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-22569
• PATCHhttps://github.com/protocolbuffers/protobuf
• WEBhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
• WEBhttps://cloud.google.com/support/bulletins#gcp-2022-001
• WEBhttps://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67
• WEBhttps://www.oracle.com/security-alerts/cpuapr2022.html
• WEBhttp://www.openwall.com/lists/oss-security/2022/01/12/4
• WEBhttp://www.openwall.com/lists/oss-security/2022/01/12/7