ADVISORIES
GEM
PLATFORM
SEVERITY
CVSS v3.x: 5.7 (Medium)
PATCHED VERSIONS
- ~> 3.16.3
- ~> 3.19.6
- ~> 3.20.3
- >= 3.21.7
DESCRIPTION
Summary
A potential Denial of Service issue in protobuf-java
core and lite was
discovered in the parsing procedure for binary and text format data.
Input streams containing multiple instances of non-repeated embedded
messages
with repeated or unknown fields causes objects to be converted back-n-forth
between mutable and immutable forms, resulting in potentially long garbage
collection pauses.
Reporter: OSS Fuzz
Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.
Severity
CVE-2022-3171 Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)
Remediation and Mitigation
Please update to the latest available versions of the following packages:
- protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)
- protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
- protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)
- protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
- google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)
RELATED
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771
- https://github.com/protocolbuffers/protobuf/releases/tag/v21.7
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3