CVE-2021-22569
Denial of Service of protobuf-java parsing procedure
In short
A malicious protobuf message can cause the Java parser to hang for minutes by forcing it to create many temporary objects repeatedly. This allows attackers to disable services that process untrusted protobuf data.
Technical detail
CVE-2021-22569 exploits improper handling of interleaved UnknownFieldSet fields in protobuf-java, where crafted payloads trigger excessive garbage collection pauses through rapid object allocation. The attack vector requires processing untrusted serialized protobuf messages, resulting in denial of service without requiring authentication or special privileges.
Summary generated and translated by AI from the official description.
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
Google LLC · google-protobuf [JRuby Gem]Google LLC · protobuf-javaGoogle LLC · protobuf-kotlinWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330https://cloud.google.com/support/bulletins#gcp-2022-001https://lists.debian.org/debian-lts-announce/2023/04/msg00019.htmlhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttp://www.openwall.com/lists/oss-security/2022/01/12/4http://www.openwall.com/lists/oss-security/2022/01/12/7