Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
The product does not properly control the allocation and maintenance of a limited resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Protobuf | * | 3.25.5 (excluding) | |
| Protobuf | 4.0.0 (including) | 4.27.5 (excluding) | |
| Protobuf | 4.28.0 (including) | 4.28.2 (excluding) | |
| Protobuf-java | * | 3.25.5 (excluding) | |
| Protobuf-java | 4.0.0 (including) | 4.27.5 (excluding) | |
| Protobuf-java | 4.28.0 (including) | 4.28.2 (excluding) | |
| Protobuf-javalite | * | 3.25.5 (excluding) | |
| Protobuf-javalite | 4.0.0 (including) | 4.27.5 (excluding) | |
| Protobuf-javalite | 4.28.0 (including) | 4.28.2 (excluding) | |
| Protobuf-kotlin | * | 3.25.5 (excluding) | |
| Protobuf-kotlin | 4.0.0 (including) | 4.27.5 (excluding) | |
| Protobuf-kotlin | 4.28.0 (including) | 4.28.2 (excluding) | |
| Protobuf-kotlin-lite | * | 3.25.5 (excluding) | |
| Protobuf-kotlin-lite | 4.0.0 (including) | 4.27.5 (excluding) | |
| Protobuf-kotlin-lite | 4.28.0 (including) | 4.28.2 (including) | |
| Red Hat build of Apache Camel 4.4.3 for Spring Boot | RedHat | * | |
| Red Hat build of Apache Camel 4.8 for Spring Boot | RedHat | * | |
| Red Hat build of Apache Camel 4 for Quarkus 3 | RedHat | com.google.protobuf/protobuf-java | * |
| Red Hat build of Quarkus 3.2 | RedHat | com.google.protobuf/protobuf | * |
| Red Hat build of Quarkus 3.8 | RedHat | com.google.protobuf/protobuf | * |
| Red Hat JBoss EAP XP 5.0 Update 2.0 | RedHat | protobuf-java | * |
| Streams for Apache Kafka 2.8.0 | RedHat | * | |
| Red Hat Trusted Profile Analyzer 1.2 | RedHat | registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe | * |
| Red Hat Trusted Profile Analyzer 1.2 | RedHat | registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30 | * |
| Protobuf | Ubuntu | esm-infra-legacy/trusty | * |
| Protobuf | Ubuntu | esm-infra/bionic | * |
| Protobuf | Ubuntu | esm-infra/focal | * |
| Protobuf | Ubuntu | esm-infra/xenial | * |
| Protobuf | Ubuntu | focal | * |
| Protobuf | Ubuntu | jammy | * |
| Protobuf | Ubuntu | noble | * |
| Protobuf | Ubuntu | oracular | * |
| Protobuf | Ubuntu | plucky | * |
| Protobuf | Ubuntu | trusty/esm | * |
| Protobuf | Ubuntu | upstream | * |
Mitigation of resource exhaustion attacks requires that the target system either:
The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.