Bug 1194530 - (CVE-2021-22569) VUL-0: CVE-2021-22569: protobuf: potential Denial of Service in protobuf-java in the parsing procedure for binary data
VUL-0: CVE-2021-22569: protobuf: potential Denial of Service in protobuf-java...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Max Lin
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-01-11 11:03 UTC by Thomas Leroy
Modified: 2022-02-21 09:01 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
mlin: needinfo? (thomas.leroy)


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-01-11 11:03:23 UTC

An issue in protobuf-java allowed the interleaving of
com.google.protobuf.UnknownFieldSet fields in such a way that would be processed
out of order. A small malicious payload can occupy the parser for several
minutes by creating large numbers of short-lived objects that cause frequent,
repeated pauses. We recommend upgrading libraries beyond the vulnerable

Probable upstream commit:

Comment 1 Thomas Leroy 2022-01-11 12:46:17 UTC
Affected codestreams:   
- SUSE:SLE-15-SP2:Update              3.9.2
- SUSE:SLE-15:Update                  3.5.0
- openSUSE:Factory                    3.17.3
- openSUSE:Leap:15.3:Update           3.9.2
- openSUSE:Leap:15.4:Update           3.9.2
Comment 2 Max Lin 2022-02-21 07:40:55 UTC
I only just have one commit according to protobuf changelog, I didn't notice I'm the internal protobuf maintainer... I can submit the latest version that should fix this issue, is it ok for you?
Comment 3 Gianluca Gabrielli 2022-02-21 08:55:07 UTC
The fix is contained in versions >= 3.16.1, >= 3.18.2 , >= 3.19.2.

We are ok with bumping version in openSUSE:Factory, but we need to backport the patch on the other codestreams.
Comment 4 Gianluca Gabrielli 2022-02-21 09:01:35 UTC
We can accept version bump for codestreams other than Factory only if you can ensure there are no breaking-changes between the start and the bumped version.