Headline
CVE-2022-3510: Sync from Piper @mkruskal/footmitten · protocolbuffers/protobuf@db7c178
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
@@ -378,6 +378,7 @@ MergeTarget newEmptyTargetForField( static class BuilderAdapter implements MergeTarget {
private final Message.Builder builder; private boolean hasNestedBuilders = true;
@Override public Descriptors.Descriptor getDescriptorForType() { @@ -393,13 +394,30 @@ public Object getField(Descriptors.FieldDescriptor field) { return builder.getField(field); }
private Message.Builder getFieldBuilder(Descriptors.FieldDescriptor field) { if (hasNestedBuilders) { try { return builder.getFieldBuilder(field); } catch (UnsupportedOperationException e) { hasNestedBuilders = false; } } return null; }
@Override public boolean hasField(Descriptors.FieldDescriptor field) { return builder.hasField(field); }
@Override public MergeTarget setField(Descriptors.FieldDescriptor field, Object value) { if (!field.isRepeated() && value instanceof MessageLite.Builder) { if (value != getFieldBuilder(field)) { builder.setField(field, ((MessageLite.Builder) value).buildPartial()); } return this; } builder.setField(field, value); return this; } @@ -413,12 +431,18 @@ public MergeTarget clearField(Descriptors.FieldDescriptor field) { @Override public MergeTarget setRepeatedField( Descriptors.FieldDescriptor field, int index, Object value) { if (value instanceof MessageLite.Builder) { value = ((MessageLite.Builder) value).buildPartial(); } builder.setRepeatedField(field, index, value); return this; }
@Override public MergeTarget addRepeatedField(Descriptors.FieldDescriptor field, Object value) { if (value instanceof MessageLite.Builder) { value = ((MessageLite.Builder) value).buildPartial(); } builder.addRepeatedField(field, value); return this; } @@ -536,11 +560,19 @@ public void mergeGroup( Message defaultInstance) throws IOException { if (!field.isRepeated()) { Message.Builder subBuilder; if (hasField(field)) { input.readGroup(field.getNumber(), builder.getFieldBuilder(field), extensionRegistry); return; subBuilder = getFieldBuilder(field); if (subBuilder != null) { input.readGroup(field.getNumber(), subBuilder, extensionRegistry); return; } else { subBuilder = newMessageFieldInstance(field, defaultInstance); subBuilder.mergeFrom((Message) getField(field)); } } else { subBuilder = newMessageFieldInstance(field, defaultInstance); } Message.Builder subBuilder = newMessageFieldInstance(field, defaultInstance); input.readGroup(field.getNumber(), subBuilder, extensionRegistry); Object unused = setField(field, subBuilder.buildPartial()); } else { @@ -558,11 +590,19 @@ public void mergeMessage( Message defaultInstance) throws IOException { if (!field.isRepeated()) { Message.Builder subBuilder; if (hasField(field)) { input.readMessage(builder.getFieldBuilder(field), extensionRegistry); return; subBuilder = getFieldBuilder(field); if (subBuilder != null) { input.readMessage(subBuilder, extensionRegistry); return; } else { subBuilder = newMessageFieldInstance(field, defaultInstance); subBuilder.mergeFrom((Message) getField(field)); } } else { subBuilder = newMessageFieldInstance(field, defaultInstance); } Message.Builder subBuilder = newMessageFieldInstance(field, defaultInstance); input.readMessage(subBuilder, extensionRegistry); Object unused = setField(field, subBuilder.buildPartial()); } else { @@ -586,11 +626,14 @@ private Message.Builder newMessageFieldInstance( public MergeTarget newMergeTargetForField( Descriptors.FieldDescriptor field, Message defaultInstance) { Message.Builder subBuilder; if (defaultInstance != null) { subBuilder = defaultInstance.newBuilderForType(); } else { subBuilder = builder.newBuilderForField(field); if (!field.isRepeated() && hasField(field)) { subBuilder = getFieldBuilder(field); if (subBuilder != null) { return new BuilderAdapter(subBuilder); } }
subBuilder = newMessageFieldInstance(field, defaultInstance); if (!field.isRepeated()) { Message originalMessage = (Message) getField(field); if (originalMessage != null) { @@ -626,7 +669,7 @@ public WireFormat.Utf8Validation getUtf8Validation(Descriptors.FieldDescriptor d
@Override public Object finish() { return builder.buildPartial(); return builder; } }
Related news
An update to the images for Red Hat Integration - Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK seriali...
JBoss EAP XP 4.0.0.GA security release on the EAP 7.4.10 base is now available. See references for release notes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1278: A flaw was found in WildFly. This flaw allows an attacker to see deployment names, endpoints, and any other data the trace payload may contain. * CVE-2022-3509: A flaw was found in Textformat in protobuf-java core that can lead to a denial of service. Inputs containing multiple instances of non-repeated e...
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Gentoo Linux Security Advisory 202301-9 - A vulnerability has been discovered in protobuf-java which could result in denial of service. Versions less than 3.20.3 are affected.