{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-22569", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "dateUpdated": "2024-08-03T18:44:14.144Z", "dateReserved": "2021-01-05T00:00:00", "datePublished": "2022-01-07T00:00:00"}, "containers": {"cna": {"title": "Denial of Service of protobuf-java parsing procedure", "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2023-04-18T00:00:00"}, "descriptions": [{"lang": "en", "value": "An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions."}], "affected": [{"vendor": "Google LLC", "product": "protobuf-java", "versions": [{"version": "unspecified", "lessThan": "3.16.1", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThan": "3.18.2", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThan": "3.19.2", "status": "affected", "versionType": "custom"}]}, {"vendor": "Google LLC", "product": "protobuf-kotlin", "versions": [{"version": "unspecified", "lessThan": "3.18.2", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThan": "3.19.2", "status": "affected", "versionType": "custom"}]}, {"vendor": "Google LLC", "product": "google-protobuf [JRuby Gem]", "versions": [{"version": "unspecified", "lessThan": "3.19.2", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"}, {"url": "https://cloud.google.com/support/bulletins#gcp-2022-001"}, {"name": "[oss-security] 20220112 CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/4"}, {"name": "[oss-security] 20220112 Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/7"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "[debian-lts-announce] 20230418 [SECURITY] [DLA 3393-1] protobuf security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"}], "credits": [{"lang": "en", "value": "OSS-Fuzz - https://github.com/google/oss-fuzz"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-696 Incorrect Behavior Order", "cweId": "CWE-696"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "INTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:44:14.144Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330", "tags": ["x_transferred"]}, {"url": "https://cloud.google.com/support/bulletins#gcp-2022-001", "tags": ["x_transferred"]}, {"name": "[oss-security] 20220112 CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/4"}, {"name": "[oss-security] 20220112 Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/7"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230418 [SECURITY] [DLA 3393-1] protobuf security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "01422CF6-13DE-42DF-A6FF-67E70D40DE6E", "versionEndExcluding": "3.19.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CAAA7EA-1EE1-433E-939A-B25BDE08FF22", "versionEndExcluding": "3.16.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "FBBE87EA-F13D-4A0A-AF42-A361AB4F6611", "versionEndExcluding": "3.18.2", "versionStartIncluding": "3.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "5707A6F9-0CEC-4CAA-B860-EBFA2D525B64", "versionEndExcluding": "3.19.2", "versionStartIncluding": "3.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*", "matchCriteriaId": "A252BD12-1555-4E89-B671-D459D3F149E0", "versionEndExcluding": "3.18.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*", "matchCriteriaId": "329F610C-F8CB-4009-B3A2-D0CB7FDDCB28", "versionEndExcluding": "3.19.2", "versionStartIncluding": "3.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DAAB7154-4DE8-4806-86D0-C1D33B84417B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "6F60E32F-0CA0-4C2D-9848-CB92765A9ACB", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*", "matchCriteriaId": "DF616620-88CE-4A77-B904-C1728A2E6F9B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "B4367D9B-BF81-47AD-A840-AC46317C774D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:spatial_and_graph_mapviewer:19c:*:*:*:*:*:*:*", "matchCriteriaId": "D5291552-F823-48E6-B9D8-E94740C4CEFE", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:spatial_and_graph_mapviewer:21c:*:*:*:*:*:*:*", "matchCriteriaId": "051613BE-6E8E-4865-8DA5-24352E9B9AD0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions."}, {"lang": "es", "value": "Un problema en protobuf-java permit\u00eda intercalar campos com.google.protobuf.UnknownFieldSet de tal manera que eran procesados fuera de orden. Una peque\u00f1a carga \u00fatil maliciosa puede ocupar el analizador durante varios minutos al crear un gran n\u00famero de objetos de corta duraci\u00f3n que causan frecuentes y repetidas pausas. Recomendamos actualizar las bibliotecas m\u00e1s all\u00e1 de las versiones vulnerables"}], "id": "CVE-2021-22569", "lastModified": "2024-11-21T05:50:20.647", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve-coordination@google.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-10T14:10:16.747", "references": [{"source": "cve-coordination@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/4"}, {"source": "cve-coordination@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/7"}, {"source": "cve-coordination@google.com", "tags": ["Exploit", "Issue Tracking", "Mailing List", "Vendor Advisory"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"}, {"source": "cve-coordination@google.com", "tags": ["Vendor Advisory"], "url": "https://cloud.google.com/support/bulletins#gcp-2022-001"}, {"source": "cve-coordination@google.com", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"}, {"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Mailing List", "Vendor Advisory"], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://cloud.google.com/support/bulletins#gcp-2022-001"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-696"}], "source": "cve-coordination@google.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:4623", "cpe": "cpe:/a:redhat:quarkus:2.7", "package": "protobuf-java", "product_name": "Red Hat build of Quarkus 2.7.5", "release_date": "2022-05-18T00:00:00Z"}, {"advisory": "RHSA-2022:5532", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "protobuf-java", "product_name": "Red Hat Fuse 7.11", "release_date": "2022-07-07T00:00:00Z"}, {"advisory": "RHSA-2022:1013", "cpe": "cpe:/a:redhat:camel_quarkus:2.2.1", "package": "protobuf-java", "product_name": "RHINT Camel-Q 2.2.1", "release_date": "2022-03-22T00:00:00Z"}, {"advisory": "RHSA-2022:7896", "cpe": "cpe:/a:redhat:integration:1", "package": "protobuf-java", "product_name": "RHINT Debezium 1.9.7", "release_date": "2022-11-09T00:00:00Z"}, {"advisory": "RHSA-2022:6835", "cpe": "cpe:/a:redhat:service_registry:2.3", "package": "protobuf-java", "product_name": "RHINT Service Registry 2.3.0 GA", "release_date": "2022-10-06T00:00:00Z"}, {"advisory": "RHSA-2022:5903", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package": "protobuf-java", "product_name": "RHPAM 7.13.0 async", "release_date": "2022-08-04T00:00:00Z"}, {"advisory": "RHSA-2022:8761", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "protobuf-java", "product_name": "Text-Only RHOAR", "release_date": "2022-12-14T00:00:00Z"}], "bugzilla": {"description": "protobuf-java: potential DoS in the parsing procedure for binary data", "id": "2039903", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039903"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-696", "details": ["An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.", "A flaw was found in protobuf-java. Google Protocol Buffer (protobuf-java) allows the interleaving of com.google.protobuf.UnknownFieldSet fields. By persuading a victim to open specially-crafted content, a remote attacker could cause a timeout in the ProtobufFuzzer function, resulting in a denial of service."], "name": "CVE-2021-22569", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "protobuf-java", "product_name": "Red Hat build of Debezium 1"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Will not fix", "package_name": "protobuf-java", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "protobuf-java", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "protobuf-java", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-metering-hadoop", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-metering-hive", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-metering-presto", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "package_name": "candlepin", "product_name": "Red Hat Satellite 6"}], "public_date": "2022-01-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-22569\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-22569\nhttps://github.com/protocolbuffers/protobuf/commit/b3093dce58bc9d3042f085666d83c8ef1f51fe7b\nhttps://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67"], "threat_severity": "Moderate"}