oss-sec mailing list archives
CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS
From: Ana Oprea <anaoprea () google com>
Date: Wed, 12 Jan 2022 13:32:51 +0100
Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. - Reporter: OSS-Fuzz [1] - Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected. Severity CVE-2021-22569 High - CVSS Score: 7.5 [2] An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses. Proof of Concept For reproduction details, please refer to the oss-fuzz issue [3] that identifies the specific inputs that exercise this parsing weakness. Remediation and Mitigation Please update to the latest available versions of the following packages: - protobuf-java (3.16.1, 3.18.2, 3.19.2) - protobuf-kotlin (3.18.2, 3.19.2) - google-protobuf [JRuby gem] (3.19.2) [1] https://github.com/google/oss-fuzz [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569 [3] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330 Kind regards, Ana
Current thread:
- CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS Ana Oprea (Jan 12)
- Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS John Helmert III (Jan 12)