Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A potential Denial of Service issue in protobuf-java #315

Open
anguillanneuf opened this issue May 11, 2022 · 3 comments
Open

A potential Denial of Service issue in protobuf-java #315

anguillanneuf opened this issue May 11, 2022 · 3 comments

Comments

@anguillanneuf
Copy link
Member

Outdated protobuf-java found in main/load-test-framework:

Screen Shot 2022-05-11 at 9 32 31 AM

Please update to the latest available versions of the following packages:

  • protobuf-java (3.16.1, 3.18.2, 3.19.2)

CVE-2021-22569 High - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.
@anguillanneuf
Copy link
Member Author

@dpcollins-google or someone else can update this and other dependencies in this project.

@dpcollins-google
Copy link
Collaborator

It's a bit irrelevant? It's only in an example framework for running load tests not production workflows.

@anguillanneuf
Copy link
Member Author

Should still update these deps (even if not urgent and used in production).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anguillanneuf @dpcollins-google