An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions. References: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330 https://cloud.google.com/support/bulletins#gcp-2022-001
Upstream patch: https://github.com/protocolbuffers/protobuf/pull/9371/commits/5ea2bdf6d7483d64a6b02fcf00ee51fbfb80e847
Marking openshift-hosted-aro4 and openshift-hosted-osd4 affected/delegated per openshift-4.
This issue has been addressed in the following products: RHINT Camel-Q 2.2.1 Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22569
This issue has been addressed in the following products: Red Hat build of Quarkus 2.7.5 Via RHSA-2022:4623 https://access.redhat.com/errata/RHSA-2022:4623
This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
This issue has been addressed in the following products: RHPAM 7.13.0 async Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903
This issue has been addressed in the following products: RHINT Service Registry 2.3.0 GA Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835
This issue has been addressed in the following products: RHINT Debezium 1.9.7 Via RHSA-2022:7896 https://access.redhat.com/errata/RHSA-2022:7896
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2022:8761 https://access.redhat.com/errata/RHSA-2022:8761