7.5

CVSS Score

Basic Information

CVE ID

CVE-2022-3509

GHSA ID

GHSA-g5ww-5jh7-63cx

EPSS Score

CWE

CWE-400

Published

12/12/2022

Updated

1/28/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-3509

CVE-2022-3509:
Protobuf Java vulnerable to Uncontrolled Resource Consumption

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

(GitHub Advisory)

7.5

CVSS Score

Basic Information

CVE ID

CVE-2022-3509

GHSA ID

GHSA-g5ww-5jh7-63cx

EPSS Score

CWE

CWE-400

Published

12/12/2022

Updated

1/28/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.google.protobuf:protobuf-java	maven	< 3.16.3	3.16.3
com.google.protobuf:protobuf-java	maven	>= 3.17.0, < 3.19.6	3.19.6
com.google.protobuf:protobuf-java	maven	>= 3.20.0, < 3.20.3	3.20.3
com.google.protobuf:protobuf-java	maven	>= 3.21.0, < 3.21.7	3.21.7
com.google.protobuf:protobuf-javalite	maven	< 3.16.3	3.16.3
com.google.protobuf:protobuf-javalite	maven	>= 3.17.0, < 3.19.6	3.19.6
com.google.protobuf:protobuf-javalite	maven	>= 3.20.0, < 3.20.3	3.20.3
com.google.protobuf:protobuf-javalite	maven	>= 3.21.0, < 3.21.7	3.21.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from inefficient handling of message builders during textformat parsing. The commit a3888f5 shows critical changes in BuilderAdapter methods (setField, setRepeatedField, addRepeatedField) where MessageLite.Builder instances were being passed around without being converted to immutable messages via buildPartial(). This caused repeated conversions between mutable/immutable states when processing non-repeated embedded messages with repeated/unknown fields. The patch explicitly converts builders to messages early in these methods, reducing GC pressure by preventing object thrashing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* p*rsin* issu* simil*r to *V*-****-****, *ut wit* t*xt*orm*t in proto*u*-j*v* *or* *n* lit* v*rsions prior to *.**.*, *.**.*, *.**.* *n* *.**.* **n l*** to * **ni*l o* s*rvi** *tt**k. Inputs *ont*inin* multipl* inst*n**s o* non-r*p**t** *m****** m*s

Reasoning

T** vuln*r**ility st*ms *rom in***i*i*nt **n*lin* o* m*ss*** *uil**rs *urin* t*xt*orm*t p*rsin*. T** *ommit ******* s*ows *riti**l ***n**s in *uil**r***pt*r m*t*o*s (s*t*i*l*, s*tR*p**t***i*l*, ***R*p**t***i*l*) w**r* M*ss***Lit*.*uil**r inst*n**s w*

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-3509: Protobuf Java vulnerable to Uncontrolled Resource Consumption

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-3509:
Protobuf Java vulnerable to Uncontrolled Resource Consumption

Vulnerability Intelligence
Miggo AI