QID 355269
Date Published: 2023-05-29
QID 355269: Amazon Linux Security Advisory for protobuf : ALAS2023-2023-049
A parsing vulnerability for the messageset type in the protocolbuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures.
A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a denial of service against services receiving unsanitized input.
We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python.
Versions for 3.16 and 3.17 are no longer updated. (
( CVE-2022-1941) a parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack.
Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
We recommend updating to the versions mentioned above. (
( CVE-2022-3171)
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
- ALAS2023-2023-049 -
alas.aws.amazon.com/AL2023/ALAS-2023-049.html
CVEs related to QID 355269
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| ALAS2023-2023-049 | amazon linux 2023 |
alas.aws.amazon.com/AL2023/ALAS-2023-049.html |