CVE-2022-3510

CWE-400 — Uncontrolled Resource Consumption CWE-91510 documents8 sources

Severity

7.5HIGH

EPSS

0.1%

top 77.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Protocolbuffers Google Protobuf-java Google Protobuf-javalite

Timeline

PublishedDec 12

Latest updateJan 15

Description

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶NVDgoogle/protobuf-javalite3.16.0 — 3.16.3+3

▶Mavencom.google.protobuf:protobuf-javalite3.0.0 — 3.16.3+3

▶NVDgoogle/protobuf-java3.16.0 — 3.16.3+3

▶Mavencom.google.protobuf:protobuf-java3.0.0 — 3.16.3+3

▶Debianprotobuf< 3.21.9-3+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Protobuf Java vulnerable to Uncontrolled Resource Consumption↗2022-12-12

▶

OSV

CVE-2022-3510: A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3↗2022-12-12

▶

GHSA

Protobuf Java vulnerable to Uncontrolled Resource Consumption↗2022-12-12

▶

CVEList

Parsing issue in protobuf message-type extension↗2022-11-11

▶

📋Vendor Advisories

Oracle

Oracle Oracle Analytics Risk Matrix: Analytics Server, BI Search (Google Protobuf-Java) — CVE-2022-3510↗2024-01-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Policy (Google Protobuf-Java) — CVE-2022-3510↗2023-01-15

▶

Red Hat

protobuf-java: Message-Type Extensions parsing issue leads to DoS↗2022-12-15

▶

Microsoft

Parsing issue in protobuf message-type extension↗2022-11-08

▶

Debian

CVE-2022-3510: protobuf - A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in pr...↗2022

▶