CVE-2021-22570
Null Pointer Dereference vulnerability in Google.Protobuf (NuGet)
What is CVE-2021-22570 About?
This is a null pointer dereference vulnerability occurring when a null character is present in a 'proto symbol'. This leads to incorrect parsing, causing an unchecked call into a null file's name during error message generation. The impact is likely a denial-of-service, as the application would crash. Exploitation is moderately complex, requiring specific malformed input to trigger the dereference.
Affected Software
- Google.Protobuf
- <3.15.0
- google/protobuf
- <3.15.0
- com.google.protobuf:protobuf-java
- <3.15.0
- github.com/protocolbuffers/protobuf
- <0.0.0-20210218195015-ae50d9b99025
- >0.0.0, <3.15.0
- protobuf
- <3.15.0
Technical Details
A null pointer dereference occurs when a 'proto symbol' contains a null character. This malformed symbol causes the parsing mechanism to incorrectly interpret it. Consequently, when the system attempts to generate an error message related to this symbol, it makes an unchecked call to access the name of the associated 'proto file'. However, due to the incorrect parsing, the 'proto file' is treated as a null pointer, leading to a dereference and likely an application crash or denial-of-service.
What is the Impact of CVE-2021-22570?
Successful exploitation may allow attackers to cause a denial-of-service condition by crashing the application, disrupting availability for legitimate users.
What is the Exploitability of CVE-2021-22570?
Exploitation requires providing a crafted input containing a null character within a 'proto symbol'. The complexity lies in understanding where and how this 'proto symbol' is parsed and how to inject the null character without the input being sanitized. Authentication requirements depend on whether unauthenticated input can reach the vulnerable parsing logic. Privilege requirements are likely minimal if the input can be provided by a standard user. It can be a remote or local vulnerability depending on the accessibility of the parsing function. The primary constraint is the attacker's ability to control the format and content of the 'proto symbol' input to trigger the specific parsing error that leads to the null pointer dereference.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-22570?
Available Upgrade Options
- protobuf
- <3.15.0 → Upgrade to 3.15.0
- google/protobuf
- <3.15.0 → Upgrade to 3.15.0
- Google.Protobuf
- <3.15.0 → Upgrade to 3.15.0
- github.com/protocolbuffers/protobuf
- <0.0.0-20210218195015-ae50d9b99025 → Upgrade to 0.0.0-20210218195015-ae50d9b99025
- github.com/protocolbuffers/protobuf
- >0.0.0, <3.15.0 → Upgrade to 3.15.0
- com.google.protobuf:protobuf-java
- <3.15.0 → Upgrade to 3.15.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/protocolbuffers/protobuf
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE
- https://github.com/advisories/GHSA-77rm-9x9h-xj3g
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVTWVQRB5OCCTMKEQFY5MYED3DXDVSLP
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DVUZPALAQ34TQP6KFNLM4IZS6B32XSA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X/
- https://github.com/pypa/advisory-database/tree/main/vulns/protobuf/PYSEC-2022-48.yaml
- https://nvd.nist.gov/vuln/detail/CVE-2021-22570
What are Similar Vulnerabilities to CVE-2021-22570?
Similar Vulnerabilities: CVE-2022-26377 , CVE-2021-36222 , CVE-2020-14364 , CVE-2020-10735 , CVE-2019-14835
