Vulnerability in Protobuf-java Library 

Issue date: 06-01-2023
Affects versions: 15.1, 14.7, 13.4

Security Issue ID

SECURITY-409

 

Affected Product Version(s)

15.1.4, 14.7.12, 13.4.21 and previous releases.


Severity 

High


Description

CVE-2022-3510  suppress

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

CVSSv3:

  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.0, 14.7.13, 13.4.22.