CVE-2021-22569: Denial of Service of protobuf-java parsing procedure
First published: Thu Jan 06 2022(Updated: )
A flaw was found in protobuf-java. Google Protocol Buffer (protobuf-java) allows the interleaving of com.google.protobuf.UnknownFieldSet fields. By persuading a victim to open specially-crafted content, a remote attacker could cause a timeout in the ProtobufFuzzer function, resulting in a denial of service.
Credit: cve-coordination@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Security Verify Governance | <=10.0 | |
| redhat/protobuf | <3.16.1 | 3.16.1 |
| redhat/protobuf | <3.18.2 | 3.18.2 |
| redhat/protobuf | <3.19.2 | 3.19.2 |
| Google Protobuf Ruby | <3.19.2 | |
| Google Protobuf Java | <3.16.1 | |
| Google Protobuf Java | >=3.18.0<3.18.2 | |
| Google Protobuf Java | >=3.19.0<3.19.2 | |
| google protobuf-kotlin | <3.18.2 | |
| google protobuf-kotlin | >=3.19.0<3.19.2 | |
| oracle communications cloud native core console | =1.9.0 | |
| Oracle Communications Cloud Native Core Network Repository Function | =1.15.0 | |
| Oracle Communications Cloud Native Core Network Repository Function | =1.15.1 | |
| oracle communications Cloud native core policy | =1.15.0 | |
| Oracle Spatial and Graph MapViewer | =19c | |
| Oracle Spatial and Graph MapViewer | =21c |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/216851
- https://www.ibm.com/support/pages/node/7047640 (Advisory)
- http://www.openwall.com/lists/oss-security/2022/01/12/4
- http://www.openwall.com/lists/oss-security/2022/01/12/7
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
- https://cloud.google.com/support/bulletins#gcp-2022-001
- https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67
- https://github.com/protocolbuffers/protobuf/pull/9371/commits/5ea2bdf6d7483d64a6b02fcf00ee51fbfb80e847
- https://access.redhat.com/errata/RHSA-2022:1013
- https://access.redhat.com/security/cve/cve-2021-22569
- https://access.redhat.com/errata/RHSA-2022:4623
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/errata/RHSA-2022:5903
- https://access.redhat.com/errata/RHSA-2022:6835
- https://access.redhat.com/errata/RHSA-2022:7896
- https://access.redhat.com/errata/RHSA-2022:8761
- https://bugzilla.redhat.com/show_bug.cgi?id=2039903
- https://www.cve.org/CVERecord?id=CVE-2021-22569 https://nvd.nist.gov/vuln/detail/CVE-2021-22569 https://github.com/protocolbuffers/protobuf/commit/b3093dce58bc9d3042f085666d83c8ef1f51fe7b https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-22569.
What is the severity of CVE-2021-22569?
The severity of CVE-2021-22569 is medium with a severity value of 5.5.
What is the affected software of CVE-2021-22569?
The affected software of CVE-2021-22569 is Google Protocol Buffer (protobuf-java) versions 3.16.1, 3.18.2, and 3.19.2, as well as IBM Disconnected Log Collector versions v1.0 to v1.8.2.
How can the vulnerability CVE-2021-22569 be exploited?
The vulnerability CVE-2021-22569 can be exploited by persuading a victim to open a specially-crafted content, causing a timeout.
Is there a fix available for CVE-2021-22569?
Yes, there are fixes available for CVE-2021-22569. For Google Protocol Buffer (protobuf-java), the recommended fix is to upgrade to version 3.16.1, 3.18.2, or 3.19.2. For IBM Disconnected Log Collector, the recommended fix is to upgrade to a version higher than v1.8.2.
- collector/redhat-cve
- collector/ibm-support
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/author
- agent/weakness
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-22569
- agent/software-canonical-lookup
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/severity
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ibm
- canonical/ibm security verify governance
- version/ibm security verify governance/10.0
- package-manager/redhat
- vendor/google
- canonical/google protobuf ruby
- canonical/google protobuf java
- version/google protobuf java/3.18.0
- version/google protobuf java/3.19.0
- canonical/google protobuf-kotlin
- version/google protobuf-kotlin/3.19.0
- vendor/oracle
- canonical/oracle communications cloud native core console
- version/oracle communications cloud native core console/1.9.0
- canonical/oracle communications cloud native core network repository function
- version/oracle communications cloud native core network repository function/1.15.0
- version/oracle communications cloud native core network repository function/1.15.1
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.15.0
- canonical/oracle spatial and graph mapviewer
- version/oracle spatial and graph mapviewer/19c
- version/oracle spatial and graph mapviewer/21c