CVE-2021-22569

Published on: 01/07/2022 12:00:00 AM UTC

Last Modified on: 04/18/2023 09:15:00 AM UTC

CVE-2021-22569

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Certain versions of Google-protobuf from Google contain the following vulnerability:

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

CVE-2021-22569 has been assigned by secu[email protected] to track the vulnerability - currently rated as MEDIUM severity.

CVSS3 Score: 5.5 - MEDIUM

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
LOCAL	LOW	NONE	REQUIRED
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	NONE	NONE	HIGH

CVSS2 Score: 4.3 - MEDIUM

Access Vector^ⓘ	Access Complexity	Authentication
NETWORK	MEDIUM	NONE
Confidentiality Impact	Integrity Impact	Availability Impact
NONE	NONE	PARTIAL

CVE References

Description	Tags ^ⓘ	Link
Oracle Critical Patch Update Advisory - April 2022	www.oracle.com text/html	MISC www.oracle.com/security-alerts/cpuapr2022.html
oss-security - CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS	www.openwall.com text/html	MLIST [oss-security] 20220112 CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS
oss-security - Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS	www.openwall.com text/html	MLIST [oss-security] 20220112 Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS
[SECURITY] [DLA 3393-1] protobuf security update	lists.debian.org text/html	MLIST [debian-lts-announce] 20230418 [SECURITY] [DLA 3393-1] protobuf security update
39330 - oss-fuzz - OSS-Fuzz: Fuzzing the planet - Monorail	bugs.chromium.org text/html	MISC bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
Security Bulletins \| Customer Care \| Google Cloud	cloud.google.com text/html	MISC cloud.google.com/support/bulletins#gcp-2022-001

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

150676 Oracle WebLogic Server Multiple Vulnerabilities (APR-2023)
181741 Debian Security Update for protobuf (DLA 3393-1)
184949 Debian Security Update for protobuf (CVE-2021-22569)
199233 Ubuntu Security Notification for Protocol Buffers Vulnerabilities (USN-5945-1)
20255 Oracle Database 19c Critical Patch Update - April 2022
20257 Oracle Database 21c Critical Patch Update - April 2022
20285 Oracle Database 19c Critical OJVM Patch Update - April 2022
752777 SUSE Enterprise Linux Security Update for protobuf (SUSE-SU-2022:3922-1)
754157 SUSE Enterprise Linux Security Update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt (SUSE-SU-2023:2783-1)
87542 Oracle WebLogic Server Multiple Vulnerabilities (CPUAPR2023)

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Google	Google-protobuf	All	All	All	All
Application	Google	Protobuf-java	All	All	All	All
Application	Google	Protobuf-kotlin	All	All	All	All
Application	Oracle	Communications Cloud Native Core Console	1.9.0	All	All	All
Application	Oracle	Communications Cloud Native Core Network Repository Function	1.15.0	All	All	All
Application	Oracle	Communications Cloud Native Core Network Repository Function	1.15.1	All	All	All
Application	Oracle	Communications Cloud Native Core Policy	1.15.0	All	All	All
Application	Oracle	Spatial And Graph Mapviewer	19c	All	All	All
Application	Oracle	Spatial And Graph Mapviewer	21c	All	All	All

cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*:
cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*:
cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:spatial_and_graph_mapviewer:19c:*:*:*:*:*:*:*:
cpe:2.3:a:oracle:spatial_and_graph_mapviewer:21c:*:*:*:*:*:*:*:

Discovery Credit

OSS-Fuzz - https://github.com/google/oss-fuzz

Social Mentions

Source	Title	Posted (UTC)
@CVEreport	CVE-2021-22569 : An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFiel… twitter.com/i/web/status/1…	2022-01-07 09:42:39
@ostroverkhov	In the light of yesterday's protobuf-java DoS vulnerability CVE-2021-22569, It is remakrable how quickly important… twitter.com/i/web/status/1…	2022-01-07 13:00:39
@WesUncensored	New vulnerability on the NVD: CVE-2021-22569 ift.tt/3qaY8HU	2022-01-10 15:33:21
@workentin	New vulnerability on the NVD: CVE-2021-22569 ift.tt/3qaY8HU	2022-01-10 15:40:42
/r/netcve	CVE-2021-22569	2022-01-07 10:38:45