Skip to content

A potential Denial of Service issue in protobuf-java

High
perezd published GHSA-wrvw-hg22-4m67 Jan 6, 2022

Package

maven com.google.protobuf:protobuf-java (Maven)

Affected versions

< 3.19.2

Patched versions

3.16.1, 3.18.2, 3.19.2
maven com.google.protobuf:protobuf-kotlin (Maven)
< 3.19.2
3.18.2, 3.19.2
bundler google-protobuf (RubyGems)
< 3.19.2
3.19.2

Description

Summary

A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.

Reporter: OSS-Fuzz

Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected.

Severity

CVE-2021-22569 High - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.

Proof of Concept

For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.

Remediation and Mitigation

Please update to the latest available versions of the following packages:

  • protobuf-java (3.16.1, 3.18.2, 3.19.2)
  • protobuf-kotlin (3.18.2, 3.19.2)
  • google-protobuf [JRuby gem only] (3.19.2)

Severity

High

CVE ID

CVE-2021-22569

Weaknesses

No CWEs