An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Google-protobuf | * | 3.19.2 (excluding) | |
| Protobuf-java | * | 3.16.1 (excluding) | |
| Protobuf-java | 3.18.0 (including) | 3.18.2 (excluding) | |
| Protobuf-java | 3.19.0 (including) | 3.19.2 (excluding) | |
| Protobuf-kotlin | * | 3.18.2 (excluding) | |
| Protobuf-kotlin | 3.19.0 (including) | 3.19.2 (excluding) | |
| Red Hat build of Quarkus 2.7.5 | RedHat | protobuf-java | * |
| Red Hat Fuse 7.11 | RedHat | protobuf-java | * |
| RHINT Camel-Q 2.2.1 | RedHat | protobuf-java | * |
| RHINT Debezium 1.9.7 | RedHat | protobuf-java | * |
| RHINT Service Registry 2.3.0 GA | RedHat | protobuf-java | * |
| RHPAM 7.13.0 async | RedHat | protobuf-java | * |
| Text-Only RHOAR | RedHat | protobuf-java | * |
| Protobuf | Ubuntu | bionic | * |
| Protobuf | Ubuntu | esm-infra/xenial | * |
| Protobuf | Ubuntu | focal | * |
| Protobuf | Ubuntu | impish | * |
| Protobuf | Ubuntu | jammy | * |
| Protobuf | Ubuntu | kinetic | * |
| Protobuf | Ubuntu | trusty | * |
| Protobuf | Ubuntu | trusty/esm | * |
| Protobuf | Ubuntu | upstream | * |
| Protobuf | Ubuntu | xenial | * |