CVE-2021-22569
Denial of Service (DoS) vulnerability in protobuf-java (Maven)
What is CVE-2021-22569 About?
This a Denial of Service vulnerability in protobuf-java's parsing procedure for binary data. It allows a small malicious payload to cause excessive CPU consumption and frequent garbage collection, leading to a denial of service. Exploitation is relatively easy as it only requires sending a specially crafted, small payload.
Affected Software
- com.google.protobuf:protobuf-java
- >3.18.0, <3.18.2
- >3.19.0, <3.19.2
- <3.16.1
- google-protobuf
- <3.19.2
- com.google.protobuf:protobuf-kotlin
- >3.18.0, <3.18.2
- >3.19.0, <3.19.2
Technical Details
The protobuf-java library is susceptible to a Denial of Service (DoS) vulnerability due to an inefficient parsing mechanism for unknown fields in binary data. A specially crafted, small (~800 KB) malicious protobuf payload can trigger repetitive creation of a large number of short-lived objects during parsing of unknown fields. This object churn causes the Java garbage collector (GC) to run frequently and for extended durations, leading to repeated GC pauses that monopolize CPU resources. The continuous allocation and deallocation cycle effectively starves the application of processing power, making it unresponsive and thus resulting in a denial of service. The attack vector is the protobuf binary data itself, specifically how the library handles unknown or malformed field structures.
What is the Impact of CVE-2021-22569?
Successful exploitation may allow attackers to significantly degrade the performance or completely halt the affected service, leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2021-22569?
Exploitation of this vulnerability is relatively easy, requiring only the ability to send a specially crafted protobuf binary payload to an application using vulnerable versions of protobuf-java. No authentication is typically required if the application accepts external protobuf data. No special privileges are needed. The attack is remote, as the payload can be delivered over a network. The primary condition is that the application must parse protobuf binary data from an untrusted source. Risk factors that increase exploitation likelihood include publicly accessible protobuf endpoints that process external input without adequate rate limiting or payload validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Mario-Kart-Felix | Link | A potential Denial of Service issue in protobuf-java high severity GitHub Reviewed Published 5 days ago in protocolbuffers/protobuf • Updated yesterday Vulnerability details Dependabot alerts 2... |
What are the Available Fixes for CVE-2021-22569?
Available Upgrade Options
- com.google.protobuf:protobuf-java
- <3.16.1 → Upgrade to 3.16.1
- com.google.protobuf:protobuf-java
- >3.18.0, <3.18.2 → Upgrade to 3.18.2
- com.google.protobuf:protobuf-java
- >3.19.0, <3.19.2 → Upgrade to 3.19.2
- com.google.protobuf:protobuf-kotlin
- >3.18.0, <3.18.2 → Upgrade to 3.18.2
- com.google.protobuf:protobuf-kotlin
- >3.19.0, <3.19.2 → Upgrade to 3.19.2
- google-protobuf
- <3.19.2 → Upgrade to 3.19.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/protocolbuffers/protobuf
- https://cloud.google.com/support/bulletins#gcp-2022-001
- http://www.openwall.com/lists/oss-security/2022/01/12/7
- https://cloud.google.com/support/bulletins#gcp-2022-001
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-22569
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
- https://osv.dev/vulnerability/GHSA-wrvw-hg22-4m67
- https://www.oracle.com/security-alerts/cpuapr2022.html
- http://www.openwall.com/lists/oss-security/2022/01/12/7
What are Similar Vulnerabilities to CVE-2021-22569?
Similar Vulnerabilities: CVE-2018-1000001 , CVE-2020-8913 , CVE-2022-21724 , CVE-2021-39181 , CVE-2022-37865
