{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-3509", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "requesterUserId": "0482d1dc-86d9-41dd-bdd2-3f4c4834e1b3", "dateReserved": "2022-10-14T13:51:45.771Z", "datePublished": "2022-11-01T18:09:31.634Z", "dateUpdated": "2024-08-03T01:14:02.398Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["all"], "product": "ProtocolBuffers", "repo": "https://github.com/protocolbuffers/protobuf/", "vendor": "Google", "versions": [{"lessThan": "3.21.7", "status": "affected", "version": "3.21.0", "versionType": "semver"}, {"lessThan": "3.20.3", "status": "affected", "version": "3.20.0", "versionType": "semver"}, {"lessThan": "3.19.6", "status": "affected", "version": "3.19.0", "versionType": "semver"}, {"lessThan": "3.16.3", "status": "affected", "version": "3.16.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.</span>"}], "value": "A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2022-12-12T12:11:04.548862Z"}, "references": [{"url": "https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9"}], "source": {"discovery": "UNKNOWN"}, "title": "Parsing issue in protobuf textformat", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:14:02.398Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB303B67-87A7-43AC-8A8B-B037C2D06B3F", "versionEndExcluding": "3.16.3", "versionStartIncluding": "3.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C2D62DC-0F66-4A30-B9FE-EA6199E60538", "versionEndExcluding": "3.19.6", "versionStartIncluding": "3.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "56CA1E8D-A555-4F4F-80D8-F23D0DC50BB8", "versionEndExcluding": "3.20.3", "versionStartIncluding": "3.20.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "E82CFAC2-2F65-45FD-88D9-D42145FC4A4F", "versionEndExcluding": "3.21.7", "versionStartIncluding": "3.21.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*", "matchCriteriaId": "63C927E5-FAB2-4F2E-8F28-EC3CC160837C", "versionEndExcluding": "3.16.3", "versionStartIncluding": "3.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B4050D4-2224-467C-B46D-2CD734B3B0FB", "versionEndExcluding": "3.19.6", "versionStartIncluding": "3.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*", "matchCriteriaId": "459A8615-D2ED-49F3-A81C-DC4560D96C93", "versionEndExcluding": "3.20.3", "versionStartIncluding": "3.20.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*", "matchCriteriaId": "712693B9-41AB-41D1-97B2-560FDFEE0863", "versionEndExcluding": "3.21.7", "versionStartIncluding": "3.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above."}, {"lang": "es", "value": "Un problema de an\u00e1lisis similar a CVE-2022-3171, pero con formato de texto en las versiones core y lite de protobuf-java anteriores a 3.21.7, 3.20.3, 3.19.6 y 3.16.3 puede provocar un ataque de Denegaci\u00f3n de Servicio (DoS). Las entradas que contienen m\u00faltiples instancias de mensajes incrustados no repetidos con campos repetidos o desconocidos hacen que los objetos se conviertan de un lado a otro entre formas mutables e inmutables, lo que resulta en pausas de recolecci\u00f3n de basura potencialmente largas. Recomendamos actualizar a las versiones mencionadas anteriormente."}], "id": "CVE-2022-3509", "lastModified": "2022-12-15T16:57:53.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2022-12-12T13:15:14.607", "references": [{"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:1855", "cpe": "cpe:/a:redhat:jbosseapxp", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "release_date": "2023-04-18T00:00:00Z"}, {"advisory": "RHSA-2023:3815", "cpe": "cpe:/a:redhat:service_registry:2.4", "package": "protobuf-java", "product_name": "RHINT Service Registry 2.4.3 GA", "release_date": "2023-06-27T00:00:00Z"}, {"advisory": "RHSA-2023:4983", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "product_name": "RHPAM 7.13.4 async", "release_date": "2023-09-05T00:00:00Z"}], "bugzilla": {"description": "protobuf-java: Textformat parsing issue leads to DoS", "id": "2184161", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184161"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-915", "details": ["A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", "A flaw was found in Textformat in protobuf-java core that can lead to a denial of service. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields can cause objects to convert between mutable and immutable forms, resulting in long garbage collection pauses."], "name": "CVE-2022-3509", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "protobuf-java", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Will not fix", "package_name": "org.keycloak-keycloak-parent", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1", "fix_state": "Will not fix", "package_name": "org.keycloak-keycloak-parent", "product_name": "Migration Toolkit for Runtimes"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Not affected", "package_name": "jenkins-2-plugins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Not affected", "package_name": "protobuf-java", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "protobuf-java", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "protobuf-java", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "protobuf-java", "product_name": "Red Hat Integration Change Data Capture"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "protobuf-java", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "protobuf-java", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2022-12-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-3509\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-3509"], "threat_severity": "Moderate", "upstream_fix": "protobuf-java 3.21.7, protobuf-java 3.20.3, protobuf-java 3.19.6, protobuf-java 3.16.3"}