AVID-2026-R0718

Description

Denial of Service of protobuf-java parsing procedure (CVE-2021-22569)

Details

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Reason for inclusion in AVID: CVE-2021-22569 describes a Denial of Service vulnerability in protobuf-java parsing, causing significant parser delays. The affected artifacts include protobuf-java, protobuf-kotlin, and google-protobuf JRuby Gem, which are common dependencies in AI/ML software stacks for data serialization and communication. This is a software supply chain issue affecting components used to build, train, deploy, or run general-purpose AI systems, and it is a security vulnerability with a high impact.

References

• NVD entry
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
• https://cloud.google.com/support/bulletins#gcp-2022-001
• http://www.openwall.com/lists/oss-security/2022/01/12/4
• http://www.openwall.com/lists/oss-security/2022/01/12/7
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html

Affected or Relevant Artifacts

• Developer: Google LLC
• Deployer: Google LLC
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-01-07
• Version: 0.3.3
• AVID Entry