DoS via Binary Parsing in protobuf-java core/lite < 3.21.7, 3.20.3, 3.19.6
CVE-2022-3171 Published on October 12, 2022
Memory handling vulnerability in ProtocolBuffers Java core and lite
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Vulnerability Analysis
Weakness Type
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2022-3171
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-3171 are published in these products:
Affected Versions
Google LLC Protocolbuffers:- Version 3.21.7 and below 3.21.7 is affected.
- Version 3.20.3 and below 3.20.3 is affected.
- Version 3.19.6 and below 3.19.6 is affected.
- Version 3.16.3 and below 3.16.3 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2022-3171
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | com.google.protobuf:protobuf-kotlin | >= 3.17.0-rc-1, < 3.19.6 | 3.19.6 |
| maven | com.google.protobuf:protobuf-kotlin-lite | >= 3.21.0-rc-1, < 3.21.7 | 3.21.7 |
| maven | com.google.protobuf:protobuf-java | >= 3.20.0-rc-1, < 3.20.3 | 3.20.3 |
| maven | com.google.protobuf:protobuf-java | >= 3.17.0-rc-1, < 3.19.6 | 3.19.6 |
| maven | com.google.protobuf:protobuf-java | < 3.16.3 | 3.16.3 |
| maven | com.google.protobuf:protobuf-kotlin | >= 3.20.0-rc-1, < 3.20.3 | 3.20.3 |
| maven | com.google.protobuf:protobuf-javalite | >= 3.21.0-rc-1, < 3.21.7 | 3.21.7 |
| maven | com.google.protobuf:protobuf-java | >= 3.21.0-rc-1, < 3.21.7 | 3.21.7 |
| maven | com.google.protobuf:protobuf-kotlin | < 3.16.3 | 3.16.3 |
| maven | com.google.protobuf:protobuf-kotlin | >= 3.21.0-rc-1, < 3.21.7 | 3.21.7 |
| maven | com.google.protobuf:protobuf-javalite | >= 3.20.0-rc-1, < 3.20.3 | 3.20.3 |
| maven | com.google.protobuf:protobuf-javalite | >= 3.17.0-rc-1, < 3.19.6 | 3.19.6 |
| maven | com.google.protobuf:protobuf-javalite | < 3.16.3 | 3.16.3 |
| maven | com.google.protobuf:protobuf-kotlin-lite | >= 3.20.0-rc-1, < 3.20.3 | 3.20.3 |
| maven | com.google.protobuf:protobuf-kotlin-lite | >= 3.17.0-rc-1, < 3.19.6 | 3.19.6 |
| maven | com.google.protobuf:protobuf-kotlin-lite | < 3.16.3 | 3.16.3 |
| rubygems | google-protobuf | < 3.16.3 | 3.16.3 |
| rubygems | google-protobuf | >= 3.17.0.rc.1, < 3.19.6 | 3.19.6 |
| rubygems | google-protobuf | >= 3.20.0.rc.1, < 3.20.3 | 3.20.3 |
| rubygems | google-protobuf | >= 3.21.0.rc.1, < 3.21.7 | 3.21.7 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.