CGA-24m5-8f5h-34wq
parsing issue vulnerability in protobuf-java (Maven)
What is CGA-24m5-8f5h-34wq About?
This parsing issue in protobuf-java core and lite (versions prior to 3.21.7, 3.20.3, 3.19.6, and 3.16.3) allows for a denial of service attack. Inputs with multiple instances of non-repeated embedded messages containing repeated or unknown fields can trigger long garbage collection pauses. This can lead to service disruption. Exploitation involves crafting a specific protobuf message structure.
Affected Software
- com.google.protobuf:protobuf-java
- >3.20.0, <3.20.3
- >3.21.0, <3.21.7
- >3.0.0, <3.16.3
- >3.17.0, <3.19.6
- com.google.protobuf:protobuf-javalite
- >3.20.0, <3.20.3
- >3.21.0, <3.21.7
- >3.0.0, <3.16.3
- >3.17.0, <3.19.6
Technical Details
The vulnerability is a parsing issue in protobuf-java similar to CVE-2022-3171, specifically related to Message-Type Extensions. When the protobuf-java library processes an input message containing multiple instances of non-repeated embedded messages that themselves contain repeated or unknown fields, it causes inefficient object handling. This triggers repeated conversions between mutable and immutable forms of objects. This excessive conversion overhead forces the Java Virtual Machine (JVM) to perform frequent and potentially long garbage collection pauses, which in turn leads to application unresponsiveness and a denial of service condition. The attack vector is the submission of a maliciously structured protobuf message.
What is the Impact of CGA-24m5-8f5h-34wq?
Successful exploitation may allow attackers to cause applications to become unresponsive, lead to significant performance degradation due to long garbage collection pauses, and result in a denial of service.
What is the Exploitability of CGA-24m5-8f5h-34wq?
Exploiting this vulnerability involves crafting a specific protobuf message structure with nested, problematic fields. The complexity is moderate, as it requires an understanding of protobuf message structure and how to trigger the inefficient object conversion. No authentication or elevated privileges are typically required if the application processes untrusted protobuf messages. This can be a remote vulnerability if the application receivesprotobuf messages over a network. The primary risk factor is any application using the vulnerable protobuf-java library to deserialize untrusted messages without input validation, especially those containing complex nested structures.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CGA-24m5-8f5h-34wq?
Available Upgrade Options
- com.google.protobuf:protobuf-javalite
- >3.0.0, <3.16.3 → Upgrade to 3.16.3
- com.google.protobuf:protobuf-javalite
- >3.17.0, <3.19.6 → Upgrade to 3.19.6
- com.google.protobuf:protobuf-javalite
- >3.20.0, <3.20.3 → Upgrade to 3.20.3
- com.google.protobuf:protobuf-javalite
- >3.21.0, <3.21.7 → Upgrade to 3.21.7
- com.google.protobuf:protobuf-java
- >3.0.0, <3.16.3 → Upgrade to 3.16.3
- com.google.protobuf:protobuf-java
- >3.17.0, <3.19.6 → Upgrade to 3.19.6
- com.google.protobuf:protobuf-java
- >3.20.0, <3.20.3 → Upgrade to 3.20.3
- com.google.protobuf:protobuf-java
- >3.21.0, <3.21.7 → Upgrade to 3.21.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48
- https://github.com/protocolbuffers/protobuf/tree/main/java
- https://nvd.nist.gov/vuln/detail/CVE-2022-3510
- https://osv.dev/vulnerability/GHSA-4gg5-vx3j-xwc7
- https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48
What are Similar Vulnerabilities to CGA-24m5-8f5h-34wq?
Similar Vulnerabilities: CVE-2022-3509 , CVE-2022-3171 , CVE-2020-29582 , CVE-2020-29581 , CVE-2018-1000876
