Bug 2137645 (CVE-2022-3171)

Summary: CVE-2022-3171 protobuf-java: timeout in parser leads to DoS
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, anstephe, avibelli, bgeorges, chazlett, clement.escoffier, dandread, dkreling, emingora, etirelli, gjospin, gmorling, gsmet, hamadhan, ibek, janstey, jochrist, jpavlik, jpechane, jrokos, jwon, kverlaen, lthon, mnovotny, pantinor, peholase, pgallagh, pjindal, probinso, rguimara, rrajasek, rruss, rsvoboda, sbiarozk, sdouglas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: protobuf-java 3.21.7, protobuf-java 3.20.3, protobuf-java 3.19.6, protobuf-java 3.16.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-04 08:33:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2134735    

Description Chess Hazlett 2022-10-25 17:58:25 UTC 
A potential Denial of Service issue in protobuf-java core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
Comment 7 errata-xmlrpc 2022-11-09 13:48:43 UTC 
This issue has been addressed in the following products:

  RHINT Debezium 1.9.7

Via RHSA-2022:7896 https://access.redhat.com/errata/RHSA-2022:7896
Comment 9 Product Security DevOps Team 2022-12-04 08:33:13 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3171
Comment 11 errata-xmlrpc 2022-12-14 13:15:26 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.5

Via RHSA-2022:9023 https://access.redhat.com/errata/RHSA-2022:9023
Comment 13 errata-xmlrpc 2023-03-08 14:55:10 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.7.7

Via RHSA-2023:1006 https://access.redhat.com/errata/RHSA-2023:1006
Comment 15 errata-xmlrpc 2023-09-05 18:37:09 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.4 async

Via RHSA-2023:4983 https://access.redhat.com/errata/RHSA-2023:4983