CVE-2021-22569

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*
cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*
cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*
cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*
cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*
cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:spatial_and_graph_mapviewer:19c:*:*:*:*:*:*:*
cpe:2.3:a:oracle:spatial_and_graph_mapviewer:21c:*:*:*:*:*:*:*

History

21 Nov 2024, 05:50

Type Values Removed Values Added
CVSS v2 : 4.3
v3 : 5.5
v2 : 4.3
v3 : 7.5
References () http://www.openwall.com/lists/oss-security/2022/01/12/4 - Mailing List, Third Party Advisory () http://www.openwall.com/lists/oss-security/2022/01/12/4 - Mailing List, Third Party Advisory
References () http://www.openwall.com/lists/oss-security/2022/01/12/7 - Mailing List, Third Party Advisory () http://www.openwall.com/lists/oss-security/2022/01/12/7 - Mailing List, Third Party Advisory
References () https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330 - Exploit, Issue Tracking, Mailing List, Vendor Advisory () https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330 - Exploit, Issue Tracking, Mailing List, Vendor Advisory
References () https://cloud.google.com/support/bulletins#gcp-2022-001 - Vendor Advisory () https://cloud.google.com/support/bulletins#gcp-2022-001 - Vendor Advisory
References () https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html - () https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html -
References () https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory () https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory

Information

Published : 2022-01-10 14:10

Updated : 2024-11-21 05:50


NVD link : CVE-2021-22569

Mitre link : CVE-2021-22569

CVE.ORG link : CVE-2021-22569


JSON object : View

Products Affected

oracle

  • communications_cloud_native_core_network_repository_function
  • spatial_and_graph_mapviewer
  • communications_cloud_native_core_policy
  • communications_cloud_native_core_console

google

  • google-protobuf
  • protobuf-java
  • protobuf-kotlin
CWE
CWE-696

Incorrect Behavior Order

NVD-CWE-noinfo