Bug 2039903 (CVE-2021-22569)
| Summary: | CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, akoufoud, alazarot, anstephe, aos-bugs, asoldano, atangrin, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bibryam, bmaxwell, bmontgom, brian.stansberry, btotty, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dkreling, dosoudil, drieden, ehelms, eleandro, eparis, eric.wittmann, etirelli, ewolinet, fjuma, ggaughan, gmalinko, gmorling, gsmet, hamadhan, hbraun, ibek, ikanello, iweiss, janstey, jburrell, jcantril, jnethert, jochrist, jokerman, jolee, jpallich, jpechane, jperkins, jrokos, jschatte, jsherril, jstastny, jwon, krathod, kverlaen, kwills, lgao, lthon, lzap, mhulan, mmccune, mnovotny, msochure, msvehla, mszynkie, myarboro, nmoumoul, nstielau, nwallace, orabin, pantinor, pcreech, pdelbell, peholase, pgallagh, pjindal, pmackay, probinso, rchan, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sd-operator-metering, sdouglas, smaestri, sponnaga, tflannag, tom.jenkinson, tzimanyi, vkumar, yborgess |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | protobuf 3.16.1, protobuf 3.18.2, protobuf 3.19.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in protobuf-java. Google Protocol Buffer (protobuf-java) allows the interleaving of com.google.protobuf.UnknownFieldSet fields. By persuading a victim to open specially-crafted content, a remote attacker could cause a timeout in the ProtobufFuzzer function, resulting in a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-03-22 19:31:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2041742, 2049276, 2049277, 2049278 | ||
| Bug Blocks: | 2039904 | ||
|
Description
Guilherme de Almeida Suckevicz
2022-01-12 17:17:41 UTC
Upstream patch: https://github.com/protocolbuffers/protobuf/pull/9371/commits/5ea2bdf6d7483d64a6b02fcf00ee51fbfb80e847 Marking openshift-hosted-aro4 and openshift-hosted-osd4 affected/delegated per openshift-4. This issue has been addressed in the following products: RHINT Camel-Q 2.2.1 Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22569 This issue has been addressed in the following products: Red Hat build of Quarkus 2.7.5 Via RHSA-2022:4623 https://access.redhat.com/errata/RHSA-2022:4623 This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532 This issue has been addressed in the following products: RHPAM 7.13.0 async Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903 This issue has been addressed in the following products: RHINT Service Registry 2.3.0 GA Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835 This issue has been addressed in the following products: RHINT Debezium 1.9.7 Via RHSA-2022:7896 https://access.redhat.com/errata/RHSA-2022:7896 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2022:8761 https://access.redhat.com/errata/RHSA-2022:8761 |