Main Vulnerability Database SB2022060239

SB2022060239 - openEuler 22.03 LTS update for protobuf

Published: June 2, 2022

Security Bulletin ID SB2022060239

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Resource management error (CVE-ID: CVE-2021-22569)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application. protobuf-java allowes the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. A remote attacker can trick the victim into passing specially crafted data to the application and perform a denial of service attack.

Remediation

Install update from vendor's website.

References

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1694

Vulnerable Software

openEuler: 22.03 LTS
protobuf-java: before 3.14.0-4
python3-protobuf: before 3.14.0-4
protobuf-parent: before 3.14.0-4
protobuf-java-util: before 3.14.0-4
protobuf-javalite: before 3.14.0-4
protobuf-bom: before 3.14.0-4
protobuf-javadoc: before 3.14.0-4
protobuf-lite-devel: before 3.14.0-4
protobuf-compiler: before 3.14.0-4
protobuf-devel: before 3.14.0-4
protobuf-lite: before 3.14.0-4
protobuf-debuginfo: before 3.14.0-4
protobuf-debugsource: before 3.14.0-4
protobuf: before 3.14.0-4

SB2022060239 - openEuler 22.03 LTS update for protobuf

Breakdown by Severity

Description

Remediation

References

Please verify you're human