CVE-2021-22569

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GoogleCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
VendorProductVersion
googlegoogle-protobuf
𝑥
< 3.19.2
googleprotobuf-java
𝑥
< 3.16.1
googleprotobuf-java
3.18.0 ≤
𝑥
< 3.18.2
googleprotobuf-java
3.19.0 ≤
𝑥
< 3.19.2
googleprotobuf-kotlin
𝑥
< 3.18.2
googleprotobuf-kotlin
3.19.0 ≤
𝑥
< 3.19.2
oraclecommunications_cloud_native_core_console
1.9.0
oraclecommunications_cloud_native_core_network_repository_function
1.15.0
oraclecommunications_cloud_native_core_network_repository_function
1.15.1
oraclecommunications_cloud_native_core_policy
1.15.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
protobuf
bullseye
3.12.4-1+deb11u1
fixed
stretch
no-dsa
bookworm
3.21.12-3
fixed
sid
3.21.12-10
fixed
trixie
3.21.12-10
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
protobuf
lunar
not-affected
kinetic
Fixed 3.12.4-1ubuntu7.22.10.1
released
jammy
Fixed 3.12.4-1ubuntu7.22.04.1
released
impish
ignored
focal
Fixed 3.6.1.3-2ubuntu5.2
released
bionic
Fixed 3.0.0-9.1ubuntu1.1
released
xenial
ignored
trusty
Fixed 2.5.0-9ubuntu1+esm1
released
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2022/01/12/4
http://www.openwall.com/lists/oss-security/2022/01/12/7
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
https://cloud.google.com/support/bulletins#gcp-2022-001
https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
https://www.oracle.com/security-alerts/cpuapr2022.html
http://www.openwall.com/lists/oss-security/2022/01/12/4
http://www.openwall.com/lists/oss-security/2022/01/12/7
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
https://cloud.google.com/support/bulletins#gcp-2022-001
https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
https://www.oracle.com/security-alerts/cpuapr2022.html