Headline
CVE-2021-22015: VMSA-2021-0020.1
The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. An authenticated local user with non-administrative privilege may exploit these issues to elevate their privileges to root on vCenter Server Appliance.
Advisory ID: VMSA-2021-0020.1
CVSSv3 Range: 4.3-9.8
Issue Date: 2021-09-21
Updated On: 2021-09-24
CVE(s): CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, CVE-2021-22009, CVE-2021-22010, CVE-2021-22011, CVE-2021-22012, CVE-2021-22013, CVE-2021-22014, CVE-2021-22015, CVE-2021-22016, CVE-2021-22017, CVE-2021-22018, CVE-2021-22019, CVE-2021-22020
Synopsis: VMware vCenter Server updates address multiple security vulnerabilities
****1. Impacted Products****
VMware vCenter Server (vCenter Server)
VMware Cloud Foundation (Cloud Foundation)
****2. Introduction****
Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
****3a. vCenter Server file upload vulnerability (CVE-2021-22005)****
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
To remediate CVE-2021-22005 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
Workarounds for CVE-2021-22005 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.
VMware has confirmed reports that CVE-2021-22005 is being exploited in the wild.
This issue does not affect vCenter Server 6.5.
VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.
****3b. vCenter Server local privilege escalation vulnerability (CVE-2021-21991)****
The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.
A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash).
To remediate CVE-2021-21991 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
VMware would like to thank Hynek Petrak of Schneider Electric for reporting this issue to us.
****3c. vCenter Server reverse proxy bypass vulnerability (CVE-2021-22006)****
The vCenter Server contains a reverse proxy bypass vulnerability due to the way the endpoints handle the URI. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.3.
A malicious actor with network access to port 443 on vCenter Server may exploit this issue to access restricted endpoints.
To remediate CVE-2021-22006 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
This issue does not affect vCenter Server 6.5.
VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.
****3d. vCenter server unauthenticated API endpoint vulnerability (CVE-2021-22011)****
The vCenter Server contains an unauthenticated API endpoint vulnerability in vCenter Server Content Library. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.
A malicious actor with network access to port 443 on vCenter Server may exploit this issue to perform unauthenticated VM network setting manipulation.
To remediate CVE-2021-22011 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.
****3e. vCenter Server improper permission local privilege escalation vulnerabilities (CVE-2021-22015)****
The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8.
An authenticated local user with non-administrative privilege may exploit these issues to elevate their privileges to root on vCenter Server Appliance.
To remediate CVE-2021-22015 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
VMware would like to thank Yuval Lazar (@Ul7raVi0l3t) of Pentera, Sergey Gerasimov and George webpentest Noseevich of Solidlab working with Trend Micro Zero Day Initiative for independently reporting these issues to us.
****3f. vCenter Server unauthenticated API information disclosure vulnerability (CVE-2021-22012)****
The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.
To remediate CVE-2021-22012 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
This issue affects only vCenter Server 6.5.
VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.
****3g. vCenter Server file path traversal vulnerability (CVE-2021-22013)****
The vCenter Server contains a file path traversal vulnerability leading to information disclosure in the appliance management API. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.
To remediate CVE-2021-22013 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
This issue affects only vCenter Server 6.5.
VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.
****3h. vCenter Server reflected XSS vulnerability (CVE-2021-22016)****
The vCenter Server contains a reflected cross-site scripting vulnerability due to a lack of input sanitization. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
An attacker may exploit this issue to execute malicious scripts by tricking a victim into clicking a malicious link.
To remediate CVE-2021-22016 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
This issue affects only vCenter Server 6.7.
VMware would like to thank icez for reporting this issue to us.
****3i. vCenter Server rhttpproxy bypass vulnerability (CVE-2021-22017)****
Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.
A malicious actor with network access to port 443 on vCenter Server may exploit this issue to bypass proxy leading to internal endpoints being accessed.
To remediate CVE-2021-22017 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
This issue does not affect vCenter Server 7.0.
VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.
****3j. vCenter Server authenticated code execution vulnerability (CVE-2021-22014)****
The vCenter Server contains an authenticated code execution vulnerability in VAMI (Virtual Appliance Management Infrastructure). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.
An authenticated VAMI user with network access to port 5480 on vCenter Server may exploit this issue to execute code on the underlying operating system that hosts vCenter Server.
To remediate CVE-2021-22014 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.
****3k. vCenter Server file deletion vulnerability (CVE-2021-22018)****
The vCenter Server contains an arbitrary file deletion vulnerability in a VMware vSphere Life-cycle Manager plug-in. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
A malicious actor with network access to port 9087 on vCenter Server may exploit this issue to delete non critical files.
To remediate CVE-2021-22018 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
This issue affects only vCenter Server 7.0.
VMware would like to thank Sergey Gerasimov of Solidlab working with Trend Micro Zero Day Initiative for reporting this issue to us.
****3l. vCenter Server XML parsing denial-of-service vulnerability (CVE-2021-21992)****
The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
A malicious actor with non-administrative user access to the vCenter Server vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash) may exploit this issue to create a denial-of-service condition on the vCenter Server host.
To remediate CVE-2021-21992 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
VMware would like to thank Osama Alaa of Malcrove for reporting this issue to us.
****3m. vCenter Server local information disclosure vulnerability (CVE-2021-22007)****
The vCenter Server contains a local information disclosure vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5.
An authenticated user with non-administrative privilege may exploit this issue to gain access to sensitive information.
To remediate CVE-2021-22007 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
This issues does not affect vCenter server 6.5.
VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.
****3n. vCenter Server denial of service vulnerability (CVE-2021-22019)****
The vCenter Server contains a denial-of-service vulnerability in VAPI (vCenter API) service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
A malicious actor with network access to port 5480 on vCenter Server may exploit this issue by sending a specially crafted jsonrpc message to create a denial of service condition.
To remediate CVE-2021-22019 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
VMware would like to thank Sergey Gerasimov and George webpentest Noseevich of Solidlab working with Trend Micro Zero Day Initiative for reporting these issues to us.
****3o. vCenter Server VAPI multiple denial of service vulnerabilities (CVE-2021-22009)****
The vCenter Server contains multiple denial-of-service vulnerabilities in VAPI (vCenter API) service.VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
A malicious actor with network access to port 443 on vCenter Server may exploit these issues to create a denial of service condition due to excessive memory consumption by VAPI service.
To remediate CVE-2021-22009 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
VMware would like to thank Sergey Gerasimov and George webpentest Noseevich of Solidlab working with Trend Micro Zero Day Initiative for reporting these issues to us.
****3p. vCenter Server VPXD denial of service vulnerability (CVE-2021-22010)****
The vCenter Server contains a denial-of-service vulnerability in VPXD (Virtual Provisioning X Daemon) service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
A malicious actor with network access to port 443 on vCenter Server may exploit this issue to create a denial of service condition due to excessive memory consumption by VPXD service.
To remediate CVE-2021-22010 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
This issues does not affect vCenter server 6.5.
VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.
****3q. vCenter Server information disclosure vulnerability (CVE-2021-22008)****
The vCenter Server contains an information disclosure vulnerability in VAPI (vCenter API) service.VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
A malicious actor with network access to port 443 on vCenter Server may exploit this issue by sending a specially crafted jsonrpc message to gain access to sensitive information.
To remediate CVE-2021-22008 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
VMware would like to thank Sergey Gerasimov and George webpentest Noseevich of Solidlab working with Trend Micro Zero Day Initiative for reporting this issue to us.
****3r. vCenter Server Analytics service denial-of-service Vulnerability (CVE-2021-22020)****
The vCenter Server contains a denial-of-service vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.0.
Successful exploitation of this issue may allow an attacker to create a denial-of-service condition on vCenter Server.
To remediate CVE-2021-22020 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
This issue does not affect vCenter Server 6.5.
VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.
****3s. vCenter Server SSRF vulnerability (CVE-2021-21993)****
The vCenter Server contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in vCenter Server Content Library. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3.
An authorised user with access to content library may exploit this issue by sending a POST request to vCenter Server leading to information disclosure.
To remediate CVE-2021-21993 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.
VMware would like to thank Osama Alaa of Malcrove and vitquay of Vantage Point Security for independently reporting this issue to us.
Response Matrix - vSphere 7.0:
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
vCenter Server
7.0
Any
CVE-2021-22005
9.8
critical
7.0 U2c
KB85717
FAQ
vCenter Server
7.0
Any
CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, CVE-2021-22009, CVE-2021-22010, CVE-2021-22014, CVE-2021-22015, CVE-2021-22019, CVE-2021-22020
4.3-8.8
important
7.0 U2c
None
FAQ
vCenter Server
7.0
Any
CVE-2021-22011, CVE-2021-22018
6.5, 8.1
important
7.0 U2d
None
FAQ
vCenter Server
7.0
Any
CVE-2021-22012, CVE-2021-22013, CVE-2021-22016, CVE-2021-22017
N/A
N/A
Unaffected
N/A
N/A
Cloud Foundation (vCenter Server)
4.x
Any
CVE-2021-22005
9.8
critical
KB85718 (4.3)
KB85717
FAQ
Cloud Foundation (vCenter Server)
4.x
Any
CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, CVE-2021-22009, CVE-2021-22010, CVE-2021-22014, CVE-2021-22015, CVE-2021-22019, CVE-2021-22020
4.3-8.8
important
KB85718 (4.3)
None
FAQ
Cloud Foundation (vCenter Server)
4.x
Any
CVE-2021-22011, CVE-2021-22018
6.5, 8.1
important
KB85718 (4.3.1)
None
FAQ
Cloud Foundation (vCenter Server)
4.x
Any
CVE-2021-22012, CVE-2021-22013, CVE-2021-22016, CVE-2021-22017
N/A
N/A
Unaffected
N/A
N/A
Response Matrix - vSphere 6.7:
Product
Version
Running On
CVE Identifier
CVSS v3
Severity
Fixed Version
Workarounds
Additional Documentation
vCenter Server
6.7
Virtual Appliance
CVE-2021-22005
9.8
critical
6.7 U3o
KB85717
FAQ
vCenter Server
6.7
Windows
CVE-2021-22005
N/A
N/A
Unaffected
N/A
N/A
vCenter Server
6.7
Any
CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22006, CVE-2021-22008, CVE-2021-22009, CVE-2021-22010, CVE-2021-22011, CVE-2021-22016, CVE-2021-22017
4.3-8.8
important
6.7 U3o
None
FAQ
vCenter Server
6.7
Virtual Appliance
CVE-2021-22007, CVE-2021-22015, CVE-2021-22014, CVE-2021-22019, CVE-2021-22020
5.0-7.8
important
6.7 U3o
None
FAQ
vCenter Server
6.7
Windows
CVE-2021-22007, CVE-2021-22014, CVE-2021-22015, CVE-2021-22019, CVE-2021-22020
N/A
N/A
Unaffected
N/A
N/A
vCenter Server
6.7
Any
CVE-2021-22012, CVE-2021-22013, CVE-2021-22018
N/A
N/A
Unaffected
N/A
N/A
Cloud Foundation (vCenter Server)
3.x
Any
CVE-2021-22005
9.8
critical
KB85719 (3.10.2.2)
KB85717
FAQ
Cloud Foundation (vCenter Server)
3.x
Any
CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, CVE-2021-22009, CVE-2021-22010, CVE-2021-22011, CVE-2021-22014, CVE-2021-22015, CVE-2021-22016, CVE-2021-22017, CVE-2021-22019, CVE-2021-22020
4.3-8.8
important
KB85719 (3.10.2.2)
None
FAQ
Cloud Foundation (vCenter Server)
3.x
Any
CVE-2021-22012, CVE-2021-22013, CVE-2021-22018
N/A
N/A
Unaffected
N/A
N/A
Response Matrix - vSphere 6.5:
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
vCenter Server
6.5
Any
CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22008, CVE-2021-22009, CVE-2021-22011, CVE-2021-22017
4.3-8.8
important
6.5 U3q
None
FAQ
vCenter Server
6.5
Virtual Appliance
CVE-2021-22012, CVE-2021-22013, CVE-2021-22014, CVE-2021-22015, CVE-2021-22019
5.3-7.8
important
6.5 U3q
None
FAQ
vCenter Server
6.5
Windows
CVE-2021-22012, CVE-2021-22013, CVE-2021-22014, CVE-2021-22015, CVE-2021-22019
N/A
N/A
Unaffected
N/A
N/A
vCenter Server
6.5
Any
CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22010, CVE-2021-22016, CVE-2021-22018, CVE-2021-22020
N/A
N/A
Unaffected
N/A
N/A
****4. References****
****5. Change Log****
2021-09-21 VMSA-2021-0020
Initial security advisory.
2021-09-24 VMSA-2021-0020.1
Updated advisory with an alert that VMware has confirmed reports that CVE-2021-22005 is being exploited in the wild.
****6. Contact****
Related news
A hacktivist group known as Twelve has been observed using an arsenal of publicly available tools to conduct destructive cyber attacks against Russian targets. "Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims' data and then destroy their infrastructure with a wiper to prevent recovery," Kaspersky said in a Friday analysis. "The approach is indicative of a
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
This Metasploit module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the /usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the cis group to write to the file, which will execute as root on vmware-vmon service restart or host reboot. This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488. Vulnerable versions should include vCenter 7.0 before U2c, vCenter 6.7 before U3o, and vCenter 6.5 before U3q.
Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]
Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.