CVE-2021-22569

Denial of Service in maven/com.google.protobuf/protobuf-java

Identifiers

CVE-2021-22569

Package Slug

maven/com.google.protobuf/protobuf-java

Vulnerability

Denial of Service

Description

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Affected Versions

All versions before 3.16.1, all versions starting from 3.18.0 before 3.18.2, all versions starting from 3.19.0 before 3.19.2

Solution

Upgrade to versions 3.16.1, 3.18.2, 3.19.2 or above.

Last Modified

2022-01-17

source