CVE-2022-3171
ADVISORY - githubSummary
Summary
A potential Denial of Service issue in protobuf-java core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
Reporter: OSS Fuzz
Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.
Severity
CVE-2022-3171 Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)
Remediation and Mitigation
Please update to the latest available versions of the following packages:
protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3) google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)
Common Weakness Enumeration (CWE)
Improper Input Validation
Improper Input Validation
Improper Input Validation
NIST
2.8
CVSS SCORE
4.3mediumGitHub
2.1
CVSS SCORE
5.7mediumDebian
-
Ubuntu
3.9
CVSS SCORE
7.5mediumAmazon
-
CVSS SCORE
N/AhighRed Hat
3.9
CVSS SCORE
7.5mediumChainguard
CGA-4823-v8jx-rx3q
-
Chainguard
CGA-8f53-f8wm-95fh
-
Chainguard
CGA-j4r7-qxxx-756w
-
Chainguard
CGA-jwcm-r7hw-56j9
-
Chainguard
CGA-xp6q-2w42-9mfm
-
Photon
CVE-2022-3171
-
CVSS SCORE
7.5highminimos
MINI-79rm-h588-f854
-