Platform
java
Component
protobuf-java
Opgelost in
3.17.0
3.18.2
3.19.2
CVE-2021-22569 describes a Denial of Service (DoS) vulnerability discovered in protobuf-java, a widely used Java library for serializing structured data. An attacker can exploit this flaw to cause excessive memory consumption, potentially leading to application crashes and service disruptions. This vulnerability affects versions of Protobuf-Java prior to 3.16.1, with the exception of users of the "javalite" variant (commonly used in Android applications). The vulnerability has been resolved in version 3.16.1.
The core of the vulnerability lies in how protobuf-java handles unknown fields during data parsing. A specially crafted, relatively small (approximately 800 KB) malicious payload can trigger an exponential increase in memory allocation. This memory exhaustion can lead to a denial of service, effectively rendering the application or service unavailable. The impact extends beyond the immediate application; if protobuf-java is used as a dependency in a larger system, the DoS can cascade and impact other components. While no direct data exfiltration is possible, the disruption of service can have significant operational and business consequences.
CVE-2021-22569 was reported through OSS-Fuzz, Google's fuzzing platform, indicating a proactive discovery process. The vulnerability's CVSS score of 7.5 (HIGH) reflects the potential for significant disruption. While no public exploits have been widely reported, the ease of crafting a malicious payload suggests a potential for exploitation. The vulnerability was published on January 7, 2022, and is tracked by both NVD and CISA. There is no indication of active campaigns targeting this specific vulnerability at this time.
Exploit Status
EPSS
0.27% (50% percentiel)
CVSS-vector
The primary mitigation for CVE-2021-22569 is to upgrade to Protobuf-Java version 3.16.1 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include input validation to restrict the size and complexity of incoming protobuf messages. Web application firewalls (WAFs) or proxies can be configured to filter out potentially malicious protobuf payloads based on size or known patterns. Monitor system memory usage closely for unusual spikes, which could indicate exploitation attempts. After upgrading, confirm the fix by attempting to parse a known malicious payload – it should no longer trigger excessive memory allocation.
Actualice la biblioteca protobuf-java a la versión 3.19.2 o superior para mitigar la vulnerabilidad de denegación de servicio. La vulnerabilidad se debe a la manipulación incorrecta de los campos de UnknownFieldSet, lo que puede provocar un consumo excesivo de recursos y una interrupción del servicio.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2021-22569 is a high-severity Denial of Service vulnerability in Protobuf-Java, affecting versions up to 3.9.2. A malicious payload can cause excessive memory consumption, leading to service disruption.
You are affected if you are using Protobuf-Java versions 3.9.2 or earlier. Android applications using the 'javalite' variant are not affected. Check your dependency versions to determine your risk.
Upgrade to Protobuf-Java version 3.16.1 or later. If an immediate upgrade is not possible, implement input validation and monitor system memory usage.
While no widespread exploitation has been publicly reported, the ease of crafting a malicious payload suggests a potential risk. Continuous monitoring is recommended.
Refer to the official Protobuf release notes and security advisories on the Google GitHub repository: https://github.com/protocolbuffers/protobuf-java/releases
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.