CVE-2022-3171

Memory handling vulnerability in ProtocolBuffers Java core and lite

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Un problema de análisis de datos binarios en protobuf-java core y lite versiones anteriores a 3.21.7, 3.20.3, 3.19.6 y 3.16.3, puede conllevar a un ataque de denegación de servicio. Las entradas que contienen múltiples instancias de mensajes insertados no repetidos con campos repetidos o desconocidos causan que los objetos sean convertidos de ida y vuelta entre las formas mutables e inmutables, resultando en pausas de recolección de basura potencialmente largas. Es recomendado actualizar a versiones mencionadas anteriormente

Debezium is a distributed platform that turns your existing databases into event streams, so applications can see and respond immediately to each row-level change in the databases. Debezium is built on top of Apache Kafka and provides Kafka Connect compatible connectors that monitor specific database management systems. Debezium records the history of data changes in Kafka logs, from where your application consumes them. This makes it possible for your application to easily consume all of the events correctly and completely. Even if your application stops unexpectedly, it will not miss anything: when the application restarts, it will resume consuming the events where it left off. Issues addressed include a denial of service vulnerability.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-09 CVE Reserved
2022-10-12 CVE Published
2024-08-03 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (6)

URL	Tag	Source
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP	2023-11-07
https://security.gentoo.org/glsa/202301-09	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-3171	2024-05-30
https://bugzilla.redhat.com/show_bug.cgi?id=2137645	2024-05-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Google Search vendor "Google"		Google-protobuf Search vendor "Google" for product "Google-protobuf"				< 3.16.3 Search vendor "Google" for product "Google-protobuf" and version " < 3.16.3"		ruby		Affected
Google Search vendor "Google"		Google-protobuf Search vendor "Google" for product "Google-protobuf"				>= 3.17.0 < 3.19.6 Search vendor "Google" for product "Google-protobuf" and version " >= 3.17.0 < 3.19.6"		ruby		Affected
Google Search vendor "Google"		Google-protobuf Search vendor "Google" for product "Google-protobuf"				>= 3.20.0 < 3.20.3 Search vendor "Google" for product "Google-protobuf" and version " >= 3.20.0 < 3.20.3"		ruby		Affected
Google Search vendor "Google"		Google-protobuf Search vendor "Google" for product "Google-protobuf"				>= 3.21.0 < 3.21.7 Search vendor "Google" for product "Google-protobuf" and version " >= 3.21.0 < 3.21.7"		ruby		Affected
Google Search vendor "Google"		Protobuf-java Search vendor "Google" for product "Protobuf-java"				< 3.16.3 Search vendor "Google" for product "Protobuf-java" and version " < 3.16.3"		-		Affected
Google Search vendor "Google"		Protobuf-java Search vendor "Google" for product "Protobuf-java"				>= 3.17.0 < 3.19.6 Search vendor "Google" for product "Protobuf-java" and version " >= 3.17.0 < 3.19.6"		-		Affected
Google Search vendor "Google"		Protobuf-java Search vendor "Google" for product "Protobuf-java"				>= 3.20.0 < 3.20.3 Search vendor "Google" for product "Protobuf-java" and version " >= 3.20.0 < 3.20.3"		-		Affected
Google Search vendor "Google"		Protobuf-java Search vendor "Google" for product "Protobuf-java"				>= 3.21.0 < 3.21.7 Search vendor "Google" for product "Protobuf-java" and version " >= 3.21.0 < 3.21.7"		-		Affected
Google Search vendor "Google"		Protobuf-javalite Search vendor "Google" for product "Protobuf-javalite"				< 3.16.3 Search vendor "Google" for product "Protobuf-javalite" and version " < 3.16.3"		-		Affected
Google Search vendor "Google"		Protobuf-javalite Search vendor "Google" for product "Protobuf-javalite"				>= 3.17.0 < 3.19.6 Search vendor "Google" for product "Protobuf-javalite" and version " >= 3.17.0 < 3.19.6"		-		Affected
Google Search vendor "Google"		Protobuf-javalite Search vendor "Google" for product "Protobuf-javalite"				>= 3.20.0 < 3.20.3 Search vendor "Google" for product "Protobuf-javalite" and version " >= 3.20.0 < 3.20.3"		-		Affected
Google Search vendor "Google"		Protobuf-javalite Search vendor "Google" for product "Protobuf-javalite"				>= 3.21.0 < 3.21.7 Search vendor "Google" for product "Protobuf-javalite" and version " >= 3.21.0 < 3.21.7"		-		Affected
Google Search vendor "Google"		Protobuf-kotlin Search vendor "Google" for product "Protobuf-kotlin"				< 3.16.3 Search vendor "Google" for product "Protobuf-kotlin" and version " < 3.16.3"		-		Affected
Google Search vendor "Google"		Protobuf-kotlin Search vendor "Google" for product "Protobuf-kotlin"				>= 3.17.0 < 3.19.6 Search vendor "Google" for product "Protobuf-kotlin" and version " >= 3.17.0 < 3.19.6"		-		Affected
Google Search vendor "Google"		Protobuf-kotlin Search vendor "Google" for product "Protobuf-kotlin"				>= 3.20.0 < 3.20.3 Search vendor "Google" for product "Protobuf-kotlin" and version " >= 3.20.0 < 3.20.3"		-		Affected
Google Search vendor "Google"		Protobuf-kotlin Search vendor "Google" for product "Protobuf-kotlin"				>= 3.21.0 < 3.21.7 Search vendor "Google" for product "Protobuf-kotlin" and version " >= 3.21.0 < 3.21.7"		-		Affected
Google Search vendor "Google"		Protobuf-kotlin-lite Search vendor "Google" for product "Protobuf-kotlin-lite"				< 3.16.3 Search vendor "Google" for product "Protobuf-kotlin-lite" and version " < 3.16.3"		-		Affected
Google Search vendor "Google"		Protobuf-kotlin-lite Search vendor "Google" for product "Protobuf-kotlin-lite"				>= 3.17.0 < 3.19.6 Search vendor "Google" for product "Protobuf-kotlin-lite" and version " >= 3.17.0 < 3.19.6"		-		Affected
Google Search vendor "Google"		Protobuf-kotlin-lite Search vendor "Google" for product "Protobuf-kotlin-lite"				>= 3.20.0 < 3.20.3 Search vendor "Google" for product "Protobuf-kotlin-lite" and version " >= 3.20.0 < 3.20.3"		-		Affected
Google Search vendor "Google"		Protobuf-kotlin-lite Search vendor "Google" for product "Protobuf-kotlin-lite"				>= 3.21.0 < 3.21.7 Search vendor "Google" for product "Protobuf-kotlin-lite" and version " >= 3.21.0 < 3.21.7"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected