Bug 1194530 - (CVE-2021-22569) VUL-0: CVE-2021-22569: protobuf: potential Denial of Service in protobuf-java in the parsing procedure for binary data
(CVE-2021-22569)
VUL-0: CVE-2021-22569: protobuf: potential Denial of Service in protobuf-java...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/319908/
CVSSv3.1:SUSE:CVE-2021-22569:5.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-11 11:03 UTC by Thomas Leroy
Modified: 2022-11-09 11:23 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-01-11 11:03:23 UTC
CVE-2021-22569

An issue in protobuf-java allowed the interleaving of
com.google.protobuf.UnknownFieldSet fields in such a way that would be processed
out of order. A small malicious payload can occupy the parser for several
minutes by creating large numbers of short-lived objects that cause frequent,
repeated pauses. We recommend upgrading libraries beyond the vulnerable
versions.

Probable upstream commit:
https://github.com/protocolbuffers/protobuf/pull/9371/commits/5ea2bdf6d7483d64a6b02fcf00ee51fbfb80e847

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22569
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569
https://cloud.google.com/support/bulletins#gcp-2022-001
Comment 1 Thomas Leroy 2022-01-11 12:46:17 UTC
Affected codestreams:   
- SUSE:SLE-15-SP2:Update              3.9.2
- SUSE:SLE-15:Update                  3.5.0
- openSUSE:Factory                    3.17.3
- openSUSE:Leap:15.3:Update           3.9.2
- openSUSE:Leap:15.4:Update           3.9.2
Comment 2 Max Lin 2022-02-21 07:40:55 UTC
I only just have one commit according to protobuf changelog, I didn't notice I'm the internal protobuf maintainer... I can submit the latest version that should fix this issue, is it ok for you?
Comment 3 Gianluca Gabrielli 2022-02-21 08:55:07 UTC
The fix is contained in versions >= 3.16.1, >= 3.18.2 , >= 3.19.2.

We are ok with bumping version in openSUSE:Factory, but we need to backport the patch on the other codestreams.
Comment 4 Gianluca Gabrielli 2022-02-21 09:01:35 UTC
We can accept version bump for codestreams other than Factory only if you can ensure there are no breaking-changes between the start and the bumped version.
Comment 6 Thomas Leroy 2022-09-13 08:15:05 UTC
Any news on the backport Max? Don't hesitate to reach us for any help :)
Backport is preferable from our side, but we could create an ECO for a version bump if backporting the fixing commit(s) is not doable
Comment 7 Max Lin 2022-09-26 03:26:08 UTC
(In reply to Thomas Leroy from comment #6)
> Any news on the backport Max? Don't hesitate to reach us for any help :)
> Backport is preferable from our side, but we could create an ECO for a
> version bump if backporting the fixing commit(s) is not doable

Gianluca has been send a mail to the relevant people/group for trying to find a suitable maintainer[1] if they does use protobuf and does have a better knowledge of protobuf, seems nobody wants to take it... I'm not a Java'er, backporting the "probable commit" feels not doable for me, I can update protobuf to a recent version if that is acceptable. BTW as far as I know, protobuf is not ABI compatibility guarantee.

[1] https://bugzilla.suse.com/show_bug.cgi?id=1195258#c8
Comment 8 Max Lin 2022-09-29 10:54:48 UTC
If a ECO is acceptable along with https://bugzilla.suse.com/show_bug.cgi?id=1203681#c2 , this bug can be solved after update protobuf to 3.19.5(3.20 and above no longer to support python < 3.7).

Meanwhile I find that protobuf-java is not part of SLE product actually, protobuf-java is a subpackage of protobuf but SLE doesn't release it to any product, SLE customer should not have protobuf-java available from the product repos, @Thomas can you confirm that or I'm miss looking?
Comment 9 Thomas Leroy 2022-09-29 12:53:02 UTC
(In reply to Max Lin from comment #8)
> If a ECO is acceptable along with
> https://bugzilla.suse.com/show_bug.cgi?id=1203681#c2 , this bug can be
> solved after update protobuf to 3.19.5(3.20 and above no longer to support
> python < 3.7).
> 
> Meanwhile I find that protobuf-java is not part of SLE product actually,
> protobuf-java is a subpackage of protobuf but SLE doesn't release it to any
> product, SLE customer should not have protobuf-java available from the
> product repos, @Thomas can you confirm that or I'm miss looking?

From what I see on smelt [0], protobuf-java is still shipped and supported in SUMA channels in SUSE:SLE-15-SP2:Update codestream. 
So SUSE:SLE-15:Update is actually not affected, thanks for noticing it
 
[0] https://smelt.suse.de/maintained/?q=protobuf
Comment 10 Thomas Leroy 2022-09-29 13:17:46 UTC
ECO created: https://jira.suse.com/browse/PED-2076
Comment 11 Max Lin 2022-10-04 06:27:50 UTC
(In reply to Thomas Leroy from comment #10)
> ECO created: https://jira.suse.com/browse/PED-2076

Thanks. While waiting the approvement of the ECO, that might take some time for the evaluation since the soname has changed, I've created MR#281573 for the backporting, then we can close this CVE for now.
Comment 13 Max Lin 2022-10-12 08:06:46 UTC
MR#281573 has been accepted, reassign back to security team for verification.
Comment 17 Swamp Workflow Management 2022-11-09 11:23:36 UTC
SUSE-SU-2022:3922-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194530,1203681,1204256
CVE References: CVE-2021-22569,CVE-2022-1941,CVE-2022-3171
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    protobuf-3.9.2-150200.4.19.2
openSUSE Leap 15.4 (src):    protobuf-3.9.2-150200.4.19.2
openSUSE Leap 15.3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Manager Server 4.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Manager Retail Branch Server 4.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Manager Proxy 4.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Server 15-SP2-BCL (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Micro 5.3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Micro 5.2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Micro 5.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Installer 15-SP2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    protobuf-3.9.2-150200.4.19.2
SUSE Enterprise Storage 7 (src):    protobuf-3.9.2-150200.4.19.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.