CVE-2021-22569

Description

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

How to fix CVE-2021-22569

To remediate CVE-2021-22569, upgrade the affected package to a fixed version below.

• —upgrade to 3.12.4-1+deb11u1 or later
• —upgrade to 3.6.1.3-2+deb10u1 or later
• —upgrade to 3.16.1 or later
• —upgrade to 3.18.2 or later
• —upgrade to 3.19.2 or later

Is CVE-2021-22569 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 3.12.4-1+deb11u1
• from 0, < 3.6.1.3-2+deb10u1
• from 0, < 3.16.1
• >= 3.18.0, < 3.18.2
• from 0, < 3.19.2

CVSS scores

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-22569
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-22569
• PATCHgithub.com/protocolbuffers/protobuf
• WEBbugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
• WEB