Bug 1194530 - (CVE-2021-22569) VUL-0: CVE-2021-22569: protobuf: potential Denial of Service in protobuf-java in the parsing procedure for binary data
(CVE-2021-22569)
VUL-0: CVE-2021-22569: protobuf: potential Denial of Service in protobuf-java...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Max Lin
Security Team bot
https://smash.suse.de/issue/319908/
CVSSv3.1:SUSE:CVE-2021-22569:5.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-11 11:03 UTC by Thomas Leroy
Modified: 2022-02-21 09:01 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
mlin: needinfo? (thomas.leroy)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-01-11 11:03:23 UTC
CVE-2021-22569

An issue in protobuf-java allowed the interleaving of
com.google.protobuf.UnknownFieldSet fields in such a way that would be processed
out of order. A small malicious payload can occupy the parser for several
minutes by creating large numbers of short-lived objects that cause frequent,
repeated pauses. We recommend upgrading libraries beyond the vulnerable
versions.

Probable upstream commit:
https://github.com/protocolbuffers/protobuf/pull/9371/commits/5ea2bdf6d7483d64a6b02fcf00ee51fbfb80e847

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22569
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569
https://cloud.google.com/support/bulletins#gcp-2022-001
Comment 1 Thomas Leroy 2022-01-11 12:46:17 UTC
Affected codestreams:   
- SUSE:SLE-15-SP2:Update              3.9.2
- SUSE:SLE-15:Update                  3.5.0
- openSUSE:Factory                    3.17.3
- openSUSE:Leap:15.3:Update           3.9.2
- openSUSE:Leap:15.4:Update           3.9.2
Comment 2 Max Lin 2022-02-21 07:40:55 UTC
I only just have one commit according to protobuf changelog, I didn't notice I'm the internal protobuf maintainer... I can submit the latest version that should fix this issue, is it ok for you?
Comment 3 Gianluca Gabrielli 2022-02-21 08:55:07 UTC
The fix is contained in versions >= 3.16.1, >= 3.18.2 , >= 3.19.2.

We are ok with bumping version in openSUSE:Factory, but we need to backport the patch on the other codestreams.
Comment 4 Gianluca Gabrielli 2022-02-21 09:01:35 UTC
We can accept version bump for codestreams other than Factory only if you can ensure there are no breaking-changes between the start and the bumped version.