5.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-3171

GHSA ID

GHSA-h4h5-3hr4-j3g2

EPSS Score

0.22366%

CWE

CWE-20

Published

10/4/2022

Updated

4/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-3171

CVE-2022-3171:
protobuf-java has a potential Denial of Service issue

Summary

A potential Denial of Service issue in protobuf-java core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

Reporter: OSS Fuzz

Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.

Severity

CVE-2022-3171 Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)

Remediation and Mitigation

Please update to the latest available versions of the following packages:

protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3) google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)

(GitHub Advisory)

5.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-3171

GHSA ID

GHSA-h4h5-3hr4-j3g2

EPSS Score

0.22366%

CWE

CWE-20

Published

10/4/2022

Updated

4/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.google.protobuf:protobuf-java	maven	>= 3.21.0-rc-1, < 3.21.7	3.21.7
com.google.protobuf:protobuf-kotlin	maven	>= 3.21.0-rc-1, < 3.21.7	3.21.7
google-protobuf	rubygems	>= 3.21.0.rc.1, < 3.21.7	3.21.7
com.google.protobuf:protobuf-javalite	maven	>= 3.21.0-rc-1, < 3.21.7	3.21.7
com.google.protobuf:protobuf-kotlin-lite	maven	>= 3.21.0-rc-1, < 3.21.7	3.21.7
com.google.protobuf:protobuf-java	maven	>= 3.20.0-rc-1, < 3.20.3	3.20.3
com.google.protobuf:protobuf-java	maven	>= 3.17.0-rc-1, < 3.19.6	3.19.6
com.google.protobuf:protobuf-java	maven	< 3.16.3	3.16.3
com.google.protobuf:protobuf-kotlin	maven	>= 3.20.0-rc-1, < 3.20.3	3.20.3
com.google.protobuf:protobuf-kotlin	maven	>= 3.17.0-rc-1, < 3.19.6	3.19.6
com.google.protobuf:protobuf-kotlin	maven	< 3.16.3	3.16.3
google-protobuf	rubygems	>= 3.20.0.rc.1, < 3.20.3	3.20.3
google-protobuf	rubygems	>= 3.17.0.rc.1, < 3.19.6	3.19.6
google-protobuf	rubygems	< 3.16.3	3.16.3
com.google.protobuf:protobuf-javalite	maven	>= 3.20.0-rc-1, < 3.20.3	3.20.3
com.google.protobuf:protobuf-javalite	maven	>= 3.17.0-rc-1, < 3.19.6	3.19.6
com.google.protobuf:protobuf-javalite	maven	< 3.16.3	3.16.3
com.google.protobuf:protobuf-kotlin-lite	maven	>= 3.20.0-rc-1, < 3.20.3	3.20.3
com.google.protobuf:protobuf-kotlin-lite	maven	>= 3.17.0-rc-1, < 3.19.6	3.19.6
com.google.protobuf:protobuf-kotlin-lite	maven	< 3.16.3	3.16.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from inefficient parsing logic that created excessive object conversions between mutable/immutable forms. Release notes specifically mention:

Migration of parsing from constructors to Builder classes
Changes in Lite runtime merging behavior
TextFormat parser optimizations These functions are central to message parsing and merging operations. The patch focused on reducing allocations by reusing builders instead of creating new immutable instances, directly addressing the GC pressure issue caused by repeated conversions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry * pot*nti*l **ni*l o* S*rvi** issu* in `proto*u*-j*v*` *or* *n* lit* w*s *is*ov*r** in t** p*rsin* pro***ur* *or *in*ry *n* t*xt *orm*t **t*. Input str**ms *ont*inin* multipl* inst*n**s o* non-r*p**t** [*m****** m*ss***s](*ttp://**v*lop*rs

Reasoning

T** vuln*r**ility st*ms *rom in***i*i*nt p*rsin* lo*i* t**t *r**t** *x**ssiv* o*j**t *onv*rsions **tw**n mut**l*/immut**l* *orms. R*l**s* not*s sp**i*i**lly m*ntion: *. Mi*r*tion o* p*rsin* *rom *onstru*tors to *uil**r *l*ss*s *. ***n**s in Lit* runt

5.7

Basic Information

Concerned about an active attack path?

CVE-2022-3171: protobuf-java has a potential Denial of Service issue

Summary

Severity

Remediation and Mitigation

5.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-3171:
protobuf-java has a potential Denial of Service issue

Vulnerability Intelligence
Miggo AI