fkie_cve-2021-22569
Vulnerability from fkie_nvd
Published
2022-01-10 14:10
Modified
2024-11-21 05:50
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Summary
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
References
cve-coordination@google.comhttp://www.openwall.com/lists/oss-security/2022/01/12/4Mailing List, Third Party Advisory
cve-coordination@google.comhttp://www.openwall.com/lists/oss-security/2022/01/12/7Mailing List, Third Party Advisory
cve-coordination@google.comhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330Exploit, Issue Tracking, Mailing List, Vendor Advisory
cve-coordination@google.comhttps://cloud.google.com/support/bulletins#gcp-2022-001Vendor Advisory
cve-coordination@google.comhttps://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
cve-coordination@google.comhttps://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2022/01/12/4Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2022/01/12/7Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330Exploit, Issue Tracking, Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://cloud.google.com/support/bulletins#gcp-2022-001Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
Impacted products
Vendor Product Version
google google-protobuf *
google protobuf-java *
google protobuf-java *
google protobuf-java *
google protobuf-kotlin *
google protobuf-kotlin *
oracle communications_cloud_native_core_console 1.9.0
oracle communications_cloud_native_core_network_repository_function 1.15.0
oracle communications_cloud_native_core_network_repository_function 1.15.1
oracle communications_cloud_native_core_policy 1.15.0
oracle spatial_and_graph_mapviewer 19c
oracle spatial_and_graph_mapviewer 21c


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "01422CF6-13DE-42DF-A6FF-67E70D40DE6E",
              "versionEndExcluding": "3.19.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9CAAA7EA-1EE1-433E-939A-B25BDE08FF22",
              "versionEndExcluding": "3.16.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FBBE87EA-F13D-4A0A-AF42-A361AB4F6611",
              "versionEndExcluding": "3.18.2",
              "versionStartIncluding": "3.18.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5707A6F9-0CEC-4CAA-B860-EBFA2D525B64",
              "versionEndExcluding": "3.19.2",
              "versionStartIncluding": "3.19.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A252BD12-1555-4E89-B671-D459D3F149E0",
              "versionEndExcluding": "3.18.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "329F610C-F8CB-4009-B3A2-D0CB7FDDCB28",
              "versionEndExcluding": "3.19.2",
              "versionStartIncluding": "3.19.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DAAB7154-4DE8-4806-86D0-C1D33B84417B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F60E32F-0CA0-4C2D-9848-CB92765A9ACB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "DF616620-88CE-4A77-B904-C1728A2E6F9B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4367D9B-BF81-47AD-A840-AC46317C774D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:spatial_and_graph_mapviewer:19c:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5291552-F823-48E6-B9D8-E94740C4CEFE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:spatial_and_graph_mapviewer:21c:*:*:*:*:*:*:*",
              "matchCriteriaId": "051613BE-6E8E-4865-8DA5-24352E9B9AD0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions."
    },
    {
      "lang": "es",
      "value": "Un problema en protobuf-java permit\u00eda intercalar campos com.google.protobuf.UnknownFieldSet de tal manera que eran procesados fuera de orden. Una peque\u00f1a carga \u00fatil maliciosa puede ocupar el analizador durante varios minutos al crear un gran n\u00famero de objetos de corta duraci\u00f3n que causan frecuentes y repetidas pausas. Recomendamos actualizar las bibliotecas m\u00e1s all\u00e1 de las versiones vulnerables"
    }
  ],
  "id": "CVE-2021-22569",
  "lastModified": "2024-11-21T05:50:20.647",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "cve-coordination@google.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-01-10T14:10:16.747",
  "references": [
    {
      "source": "cve-coordination@google.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/01/12/4"
    },
    {
      "source": "cve-coordination@google.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/01/12/7"
    },
    {
      "source": "cve-coordination@google.com",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"
    },
    {
      "source": "cve-coordination@google.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://cloud.google.com/support/bulletins#gcp-2022-001"
    },
    {
      "source": "cve-coordination@google.com",
      "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"
    },
    {
      "source": "cve-coordination@google.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/01/12/4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/01/12/7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://cloud.google.com/support/bulletins#gcp-2022-001"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    }
  ],
  "sourceIdentifier": "cve-coordination@google.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-696"
        }
      ],
      "source": "cve-coordination@google.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.