Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS

[John Helmert III <ajak () gentoo org>]

On Wed, Jan 12, 2022 at 01:32:51PM +0100, Ana Oprea wrote:
> Summary
> A potential Denial of Service issue in protobuf-java was discovered in the
> parsing procedure for binary data.
> - Reporter: OSS-Fuzz [1]
> - Affected versions: All versions of Java Protobufs (including Kotlin and
> JRuby) prior to the versions listed below. Protobuf "javalite" users
> (typically Android) are not affected.
>
> Severity
> CVE-2021-22569 High - CVSS Score: 7.5 [2]
> An implementation weakness in how unknown fields are parsed in Java. A
> small (~800 KB) malicious payload can occupy the parser for several minutes
> by creating large numbers of short-lived objects that cause frequent,
> repeated GC pauses.
>
> Proof of Concept
> For reproduction details, please refer to the oss-fuzz issue [3] that
> identifies the specific inputs that exercise this parsing weakness.

The oss-fuzz issue says the issue is unreproducible and was
WontFix'd. Is that accurate, given this has gotten a CVE and a fixed
version exists?

> Remediation and Mitigation
> Please update to the latest available versions of the following packages:
> - protobuf-java (3.16.1, 3.18.2, 3.19.2)
> - protobuf-kotlin (3.18.2, 3.19.2)
> - google-protobuf [JRuby gem] (3.19.2)
>
> [1] https://github.com/google/oss-fuzz
> [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569
> [3] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
>
> Kind regards,
> Ana

Attachment: signature.asc
Description: