Security Vulnerabilities –
How to fix following security vulnerabilities of protobuf-java core.
All the applications using protobuf-java as third party library.
Root cause –
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in
protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
Vulnerability Details –
You need to upgrade
com.google.protobuf.protobuf-java dependency in your application. You need to use version greater than 3.21.7
However if your GCP or BigQuery set up in the application is currently not supporting this version then you need to use version greater than 3.19.6 in 3.19.x version availability.
Do you have another solution?
The solution provided above is based on the scenario our one of the developers/contributors faced. If you faced the same issue and found any other root cause then please share your solution in the comment section below. We will add the solution in this article.