CVE-2021-22569

Public Exploit

Denial of Service of protobuf-java parsing procedure

Description

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

References

Link	Tags
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330	issue tracking mailing list vendor advisory exploit
https://cloud.google.com/support/bulletins#gcp-2022-001	vendor advisory
http://www.openwall.com/lists/oss-security/2022/01/12/4	third party advisory mailing list
http://www.openwall.com/lists/oss-security/2022/01/12/7	third party advisory mailing list
https://www.oracle.com/security-alerts/cpuapr2022.html	third party advisory patch
https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html	mailing list

Frequently Asked Questions

What is the severity of CVE-2021-22569?: CVE-2021-22569 has been scored as a high severity vulnerability.
How to fix CVE-2021-22569?: To fix CVE-2021-22569, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-22569 being actively exploited in the wild?: It is possible that CVE-2021-22569 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-22569?: CVE-2021-22569 affects Google LLC protobuf-java, Google LLC protobuf-kotlin, Google LLC google-protobuf [JRuby Gem].

Description

Category

CWE-696 – Incorrect Behavior Order

References

Frequently Asked Questions