CVE-2021-22569

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

## Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. Reporter: [OSS-Fuzz](https://github.com/google/oss-fuzz) Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected. ## Severity [CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) **High** - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses. ## Proof of Concept For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness. ## Remediation and Mitigation Please update to the latest available versions of the following packages: - protobuf-java (3.16.1, 3.18.2, 3.19.2) - protobuf-kotlin (3.18.2, 3.19.2) - google-protobuf [JRuby gem only] (3.19.2)

## Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. Reporter: [OSS-Fuzz](https://github.com/google/oss-fuzz) Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected. ## Severity [CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) **High** - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses. ## Proof of Concept For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness. ## Remediation and Mitigation Please update to the latest available versions of the following packages: - protobuf-java (3.16.1, 3.18.2, 3.19.2) - protobuf-kotlin (3.18.2, 3.19.2) - google-protobuf [JRuby gem only] (3.19.2)

Un problema en protobuf-java permitía intercalar campos com.google.protobuf.UnknownFieldSet de tal manera que eran procesados fuera de orden. Una pequeña carga útil maliciosa puede ocupar el analizador durante varios minutos al crear un gran número de objetos de corta duración que causan frecuentes y repetidas pausas. Recomendamos actualizar las bibliotecas más allá de las versiones vulnerables