Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-22569: protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields #542

Closed
marsishandsome opened this issue Feb 28, 2022 · 0 comments · Fixed by #539
Closed

CVE-2021-22569: protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields #542

marsishandsome opened this issue Feb 28, 2022 · 0 comments · Fixed by #539
Labels
type/bug Something isn't working

Comments

@marsishandsome
Copy link
Collaborator

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

https://nvd.nist.gov/vuln/detail/CVE-2021-22569

Fix: upgrade protobuf-java from 3.12.0 to 3.16.1
@marsishandsome marsishandsome added the type/bug Something isn't working label Feb 28, 2022
@marsishandsome marsishandsome mentioned this issue Feb 28, 2022
Merged
zz-jason pushed a commit that referenced this issue Feb 28, 2022
@marsishandsome
[close #542] update protobuf version to 3.16.1 (#539)
36feccb
This was referenced Feb 28, 2022
Merged
Merged
shiyuhang0 pushed a commit to shiyuhang0/client-java that referenced this issue Mar 1, 2022
@marsishandsome @shiyuhang0
[close tikv#542] update protobuf version to 3.16.1 (tikv#539)
f53c873 
Signed-off-by: shiyuhang <1136742008@qq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[close #542] update protobuf version to 3.16.1 marsishandsome/client-java
1 participant
@marsishandsome