An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Google-protobuf | * | 3.19.2 (excluding) | |
| Protobuf-java | * | 3.16.1 (excluding) | |
| Protobuf-java | 3.18.0 (including) | 3.18.2 (excluding) | |
| Protobuf-java | 3.19.0 (including) | 3.19.2 (excluding) | |
| Protobuf-kotlin | * | 3.18.2 (excluding) | |
| Protobuf-kotlin | 3.19.0 (including) | 3.19.2 (excluding) | |
| Red Hat build of Quarkus 2.7.5 | RedHat | protobuf-java | * |
| Red Hat Fuse 7.11 | RedHat | protobuf-java | * |
| RHINT Camel-Q 2.2.1 | RedHat | protobuf-java | * |
| RHINT Debezium 1.9.7 | RedHat | protobuf-java | * |
| RHINT Service Registry 2.3.0 GA | RedHat | protobuf-java | * |
| RHPAM 7.13.0 async | RedHat | protobuf-java | * |
| Text-Only RHOAR | RedHat | protobuf-java | * |
| Protobuf | Ubuntu | bionic | * |
| Protobuf | Ubuntu | esm-infra/xenial | * |
| Protobuf | Ubuntu | focal | * |
| Protobuf | Ubuntu | impish | * |
| Protobuf | Ubuntu | jammy | * |
| Protobuf | Ubuntu | kinetic | * |
| Protobuf | Ubuntu | trusty | * |
| Protobuf | Ubuntu | trusty/esm | * |
| Protobuf | Ubuntu | upstream | * |
| Protobuf | Ubuntu | xenial | * |