CVE-2022-3171 – Memory handling vulnerability in ProtocolBuffers Java core and lite

https://notcve.org/view.php?id=CVE-2022-3171

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Un problema de análisis de datos binarios en protobuf-java core y lite versiones anteriores a 3.21.7, 3.20.3, 3.19.6 y 3.16.3, puede conllevar a un ataque de denegación de servicio. Las entradas que contienen múltiples instancias de mensajes insertados no repetidos con campos repetidos o desconocidos causan que los objetos sean convertidos de ida y vuelta entre las formas mutables e inmutables, resultando en pausas de recolección de basura potencialmente largas. • https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP https://security.gentoo.org/glsa/202301-09 https://access.redhat.com/security/cve/CVE-2022-3171 https://bugzilla.redhat.com/show_bug.cgi?id=2137645 • CWE-20: Improper Input Validation •