CVE-2021-22569

A potential Denial of Service issue in protobuf-java

Description

## Summary

A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.

‍
Reporter: [OSS-Fuzz](https://github.com/google/oss-fuzz)

Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected.

## Severity

[CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) **High** - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.

## Proof of Concept

For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.

## Remediation and Mitigation

Please update to the latest available versions of the following packages:

- protobuf-java (3.16.1, 3.18.2, 3.19.2)
- protobuf-kotlin (3.18.2, 3.19.2)
- google-protobuf [JRuby gem only] (3.19.2)

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

7.5

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Versions

com.google.protobuf:protobuf-java < 3.16.1; google-protobuf < 3.19.2; com.google.protobuf:protobuf-java >= 3.18.0 < 3.18.2; com.google.protobuf:protobuf-java >= 3.19.0 < 3.19.2; com.google.protobuf:protobuf-kotlin >= 3.18.0 < 3.18.2; com.google.protobuf:protobuf-kotlin >= 3.19.0 < 3.19.2

Severity

High

Ecosystem

RubyGems

Publish Date

January 7, 2022

Modified Date

October 22, 2024