<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Ana Oprea <anaoprea () google com>
Date: Wed, 12 Jan 2022 13:32:51 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Summary
A potential Denial of Service issue in protobuf-java was discovered in the
parsing procedure for binary data.
- Reporter: OSS-Fuzz [1]
- Affected versions: All versions of Java Protobufs (including Kotlin and
JRuby) prior to the versions listed below. Protobuf "javalite" users
(typically Android) are not affected.
Severity
CVE-2021-22569 High - CVSS Score: 7.5 [2]
An implementation weakness in how unknown fields are parsed in Java. A
small (~800 KB) malicious payload can occupy the parser for several minutes
by creating large numbers of short-lived objects that cause frequent,
repeated GC pauses.
Proof of Concept
For reproduction details, please refer to the oss-fuzz issue [3] that
identifies the specific inputs that exercise this parsing weakness.
Remediation and Mitigation
Please update to the latest available versions of the following packages:
- protobuf-java (3.16.1, 3.18.2, 3.19.2)
- protobuf-kotlin (3.18.2, 3.19.2)
- google-protobuf [JRuby gem] (3.19.2)
[1] https://github.com/google/oss-fuzz
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569
[3] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
Kind regards,
Ana
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS Ana Oprea (Jan 12)
Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS John Helmert III (Jan 12)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->