Bugzilla – Bug 1194530
VUL-0: CVE-2021-22569: protobuf: potential Denial of Service in protobuf-java in the parsing procedure for binary data
Last modified: 2022-11-09 11:23:36 UTC
CVE-2021-22569 An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions. Probable upstream commit: https://github.com/protocolbuffers/protobuf/pull/9371/commits/5ea2bdf6d7483d64a6b02fcf00ee51fbfb80e847 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22569 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569 https://cloud.google.com/support/bulletins#gcp-2022-001
Affected codestreams: - SUSE:SLE-15-SP2:Update 3.9.2 - SUSE:SLE-15:Update 3.5.0 - openSUSE:Factory 3.17.3 - openSUSE:Leap:15.3:Update 3.9.2 - openSUSE:Leap:15.4:Update 3.9.2
I only just have one commit according to protobuf changelog, I didn't notice I'm the internal protobuf maintainer... I can submit the latest version that should fix this issue, is it ok for you?
The fix is contained in versions >= 3.16.1, >= 3.18.2 , >= 3.19.2. We are ok with bumping version in openSUSE:Factory, but we need to backport the patch on the other codestreams.
We can accept version bump for codestreams other than Factory only if you can ensure there are no breaking-changes between the start and the bumped version.
Any news on the backport Max? Don't hesitate to reach us for any help :) Backport is preferable from our side, but we could create an ECO for a version bump if backporting the fixing commit(s) is not doable
(In reply to Thomas Leroy from comment #6) > Any news on the backport Max? Don't hesitate to reach us for any help :) > Backport is preferable from our side, but we could create an ECO for a > version bump if backporting the fixing commit(s) is not doable Gianluca has been send a mail to the relevant people/group for trying to find a suitable maintainer[1] if they does use protobuf and does have a better knowledge of protobuf, seems nobody wants to take it... I'm not a Java'er, backporting the "probable commit" feels not doable for me, I can update protobuf to a recent version if that is acceptable. BTW as far as I know, protobuf is not ABI compatibility guarantee. [1] https://bugzilla.suse.com/show_bug.cgi?id=1195258#c8
If a ECO is acceptable along with https://bugzilla.suse.com/show_bug.cgi?id=1203681#c2 , this bug can be solved after update protobuf to 3.19.5(3.20 and above no longer to support python < 3.7). Meanwhile I find that protobuf-java is not part of SLE product actually, protobuf-java is a subpackage of protobuf but SLE doesn't release it to any product, SLE customer should not have protobuf-java available from the product repos, @Thomas can you confirm that or I'm miss looking?
(In reply to Max Lin from comment #8) > If a ECO is acceptable along with > https://bugzilla.suse.com/show_bug.cgi?id=1203681#c2 , this bug can be > solved after update protobuf to 3.19.5(3.20 and above no longer to support > python < 3.7). > > Meanwhile I find that protobuf-java is not part of SLE product actually, > protobuf-java is a subpackage of protobuf but SLE doesn't release it to any > product, SLE customer should not have protobuf-java available from the > product repos, @Thomas can you confirm that or I'm miss looking? From what I see on smelt [0], protobuf-java is still shipped and supported in SUMA channels in SUSE:SLE-15-SP2:Update codestream. So SUSE:SLE-15:Update is actually not affected, thanks for noticing it [0] https://smelt.suse.de/maintained/?q=protobuf
ECO created: https://jira.suse.com/browse/PED-2076
(In reply to Thomas Leroy from comment #10) > ECO created: https://jira.suse.com/browse/PED-2076 Thanks. While waiting the approvement of the ECO, that might take some time for the evaluation since the soname has changed, I've created MR#281573 for the backporting, then we can close this CVE for now.
MR#281573 has been accepted, reassign back to security team for verification.
SUSE-SU-2022:3922-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1194530,1203681,1204256 CVE References: CVE-2021-22569,CVE-2022-1941,CVE-2022-3171 JIRA References: Sources used: openSUSE Leap Micro 5.2 (src): protobuf-3.9.2-150200.4.19.2 openSUSE Leap 15.4 (src): protobuf-3.9.2-150200.4.19.2 openSUSE Leap 15.3 (src): protobuf-3.9.2-150200.4.19.2 SUSE Manager Server 4.1 (src): protobuf-3.9.2-150200.4.19.2 SUSE Manager Retail Branch Server 4.1 (src): protobuf-3.9.2-150200.4.19.2 SUSE Manager Proxy 4.1 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Server for SAP 15-SP2 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Server 15-SP2-LTSS (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Server 15-SP2-BCL (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Micro 5.3 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Micro 5.2 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Micro 5.1 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise Installer 15-SP2 (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): protobuf-3.9.2-150200.4.19.2 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): protobuf-3.9.2-150200.4.19.2 SUSE Enterprise Storage 7 (src): protobuf-3.9.2-150200.4.19.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.