CVE-2022-3171
Denial of Service vulnerability in protobuf-java (Maven)
What is CVE-2022-3171 About?
This vulnerability is a Denial of Service (DoS) issue in `protobuf-java` core and lite, identified during the parsing of binary and text format data. It is caused by an inefficient conversion between mutable and immutable forms of embedded messages with repeated or unknown fields. The impact leads to potentially long garbage collection pauses and service disruption, and its exploitation involves crafting specific protobuf messages.
Affected Software
- com.google.protobuf:protobuf-java
- >3.17.0-rc-1, <3.19.6
- <3.16.3
- >3.21.0-rc-1, <3.21.7
- >3.20.0-rc-1, <3.20.3
- com.google.protobuf:protobuf-kotlin
- >3.17.0-rc-1, <3.19.6
- <3.16.3
- >3.21.0-rc-1, <3.21.7
- >3.20.0-rc-1, <3.20.3
- google-protobuf
- >3.20.0.rc.1, <3.20.3
- <3.16.3
- >3.21.0.rc.1, <3.21.7
- >3.17.0.rc.1, <3.19.6
- com.google.protobuf:protobuf-javalite
- >3.17.0-rc-1, <3.19.6
- <3.16.3
- >3.21.0-rc-1, <3.21.7
- >3.20.0-rc-1, <3.20.3
- com.google.protobuf:protobuf-kotlin-lite
- >3.17.0-rc-1, <3.19.6
- <3.16.3
- >3.21.0-rc-1, <3.21.7
- >3.20.0-rc-1, <3.20.3
Technical Details
The vulnerability arises during the parsing process of binary and text format data within protobuf-java core and lite. It specifically affects input streams that contain multiple instances of non-repeated embedded messages, especially when these embedded messages themselves contain repeated or unknown fields. Under these conditions, the protobuf-java runtime repeatedly converts objects between their mutable and immutable forms. This excessive object churn significantly increases memory allocation and deallocation, leading to prolonged and frequent garbage collection pauses. These long pauses can effectively stall the application, causing a denial of service by making it unresponsive to legitimate requests. The attack vector is a specially crafted protobuf payload that triggers this inefficient object conversion cycle.
What is the Impact of CVE-2022-3171?
Successful exploitation may allow attackers to cause a denial of service (DoS) by triggering excessive garbage collection cycles, leading to application unresponsiveness and service disruption.
What is the Exploitability of CVE-2022-3171?
Exploiting this Denial of Service vulnerability would involve crafting a specific protobuf message payload that, when parsed by protobuf-java, triggers the inefficient object conversion mechanism. The complexity level is likely moderate, requiring an understanding of protobuf message structures and how to embed messages with repeated or unknown fields. No specific authentication is required if the service accepts protobuf messages from unauthenticated sources, and privilege requirements are minimal, only needing the ability to send protobuf data to the vulnerable application. This is typically a remote attack, as the crafted payload would be sent over the network to a service that consumes protobuf. The special conditions involve the presence of multiple non-repeated embedded messages that also contain repeated or unknown fields. The risk factors that increase the likelihood of exploitation include public-facing services that accept and parse protobuf messages from untrusted clients, as this provides a direct vector for delivering the malicious payload.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-3171?
Available Upgrade Options
- com.google.protobuf:protobuf-javalite
- <3.16.3 → Upgrade to 3.16.3
- com.google.protobuf:protobuf-javalite
- >3.17.0-rc-1, <3.19.6 → Upgrade to 3.19.6
- com.google.protobuf:protobuf-javalite
- >3.20.0-rc-1, <3.20.3 → Upgrade to 3.20.3
- com.google.protobuf:protobuf-javalite
- >3.21.0-rc-1, <3.21.7 → Upgrade to 3.21.7
- com.google.protobuf:protobuf-java
- <3.16.3 → Upgrade to 3.16.3
- com.google.protobuf:protobuf-java
- >3.17.0-rc-1, <3.19.6 → Upgrade to 3.19.6
- com.google.protobuf:protobuf-java
- >3.20.0-rc-1, <3.20.3 → Upgrade to 3.20.3
- com.google.protobuf:protobuf-java
- >3.21.0-rc-1, <3.21.7 → Upgrade to 3.21.7
- com.google.protobuf:protobuf-kotlin-lite
- <3.16.3 → Upgrade to 3.16.3
- com.google.protobuf:protobuf-kotlin-lite
- >3.17.0-rc-1, <3.19.6 → Upgrade to 3.19.6
- com.google.protobuf:protobuf-kotlin-lite
- >3.20.0-rc-1, <3.20.3 → Upgrade to 3.20.3
- com.google.protobuf:protobuf-kotlin-lite
- >3.21.0-rc-1, <3.21.7 → Upgrade to 3.21.7
- google-protobuf
- <3.16.3 → Upgrade to 3.16.3
- google-protobuf
- >3.17.0.rc.1, <3.19.6 → Upgrade to 3.19.6
- google-protobuf
- >3.20.0.rc.1, <3.20.3 → Upgrade to 3.20.3
- google-protobuf
- >3.21.0.rc.1, <3.21.7 → Upgrade to 3.21.7
- com.google.protobuf:protobuf-kotlin
- <3.16.3 → Upgrade to 3.16.3
- com.google.protobuf:protobuf-kotlin
- >3.17.0-rc-1, <3.19.6 → Upgrade to 3.19.6
- com.google.protobuf:protobuf-kotlin
- >3.20.0-rc-1, <3.20.3 → Upgrade to 3.20.3
- com.google.protobuf:protobuf-kotlin
- >3.21.0-rc-1, <3.21.7 → Upgrade to 3.21.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-h4h5-3hr4-j3g2
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/
- https://nvd.nist.gov/vuln/detail/CVE-2022-3171
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP
- https://security.gentoo.org/glsa/202301-09
- https://github.com/protocolbuffers/protobuf
- https://github.com/protocolbuffers/protobuf/releases/tag/v21.7
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3
- https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
What are Similar Vulnerabilities to CVE-2022-3171?
Similar Vulnerabilities: CVE-2021-29921 , CVE-2022-2056 , CVE-2021-3918 , CVE-2018-8778 , CVE-2020-13790
