Denial of Service of protobuf-java parsing procedure
CVE-2021-22569

7.5HIGH

Key Information:

Vendor: Google
Status: Protobuf-java; Protobuf-kotlin; Google-protobuf [jruby Gem]
Vendor: CVE Published:; 10 January 2022

Badges

👾 Exploit Exists

Summary

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Affected Version(s)

google-protobuf [JRuby Gem] < 3.19.2

protobuf-java < 3.16.1

protobuf-java < 3.18.2

References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330

https://cloud.google.com/support/bulletins#gcp-2022-001

http://www.openwall.com/lists/oss-security/2022/01/12/4

mailing-list

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jan 13, 2022
👾
Exploit known to exist
Jan 13, 2022
Vulnerability published
Jan 10, 2022
Vulnerability Reserved
Jan 5, 2021

Collectors

NVD DatabaseMitre Database0 Proof of Concept(s)

Credit

OSS-Fuzz - https://github.com/google/oss-fuzz