CVE-2022-1941
Denial of Service vulnerability in protobuf (PyPI)
What is CVE-2022-1941 About?
This vulnerability is a message parsing and memory management flaw in ProtocolBuffer's C++ and Python implementations. It can lead to an out-of-memory (OOM) failure and denial of service (DoS) when processing a specially crafted message. Exploitation by an attacker is relatively easy if they can provide malicious input.
Affected Software
- protobuf
- >4.0.0, <4.21.6
- >3.20.0, <3.20.2
- >3.19.0, <3.19.5
- <3.18.3
Technical Details
The vulnerability in ProtocolBuffer's C++ and Python implementations is a message parsing and memory management flaw. It allows an attacker to construct a specially crafted ProtocolBuffer message that, when processed by a service using the affected libraries, causes excessive memory allocation, leading to an Out-Of-Memory (OOM) error. For instance, a small ~500 KB malicious payload can force a service to allocate over 3GB of RAM. The attack vector involves an attacker sending this malformed message to a service that uses ProtocolBuffer for deserialization, thereby exhausting its memory resources and causing a denial of service.
What is the Impact of CVE-2022-1941?
Successful exploitation may allow attackers to cause a denial of service (DoS) by triggering an out-of-memory condition in affected services, rendering them unresponsive or crashing them.
What is the Exploitability of CVE-2022-1941?
Exploitation involves crafting a malicious ProtocolBuffer message and sending it to a service that processes it. The complexity is low if the attacker can deliver the payload. Authentication requirements are dependent on the service's input channels; if unauthenticated input is processed via ProtocolBuffer, no authentication is needed. This is a remote vulnerability (AV:A or AV:N depending on network access, as per CVSS scores), requiring no special privileges on the target system other than the ability to send messages. Risk factors increase if services expose ProtocolBuffer-based APIs to untrusted networks or users. The 'Proof of Concept' section mentions a unit test identifying specific inputs, suggesting that crafting such a payload is feasible.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-1941?
Available Upgrade Options
- protobuf
- <3.18.3 → Upgrade to 3.18.3
- protobuf
- >3.19.0, <3.19.5 → Upgrade to 3.19.5
- protobuf
- >3.20.0, <3.20.2 → Upgrade to 3.20.2
- protobuf
- >4.0.0, <4.21.6 → Upgrade to 4.21.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/
- https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
- https://cloud.google.com/support/bulletins#GCP-2022-019
- https://cloud.google.com/support/bulletins#GCP-2022-019
- http://www.openwall.com/lists/oss-security/2022/09/27/1
- http://www.openwall.com/lists/oss-security/2022/09/27/1
- https://osv.dev/vulnerability/GHSA-8gq9-2x98-w8hf
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3
What are Similar Vulnerabilities to CVE-2022-1941?
Similar Vulnerabilities: CVE-2021-27921 , CVE-2021-3129 , CVE-2020-8913 , CVE-2022-2639 , CVE-2020-5398
