Skip to content

Fix Protobuf-java vulnerabilities CVE-2022-3509 and CVE-2022-3510

Security Vulnerabilities –

How to fix following security vulnerabilities of protobuf-java core.

  • CVE-2022-3509
  • CVE-2022-3510

Environment –

All the applications using protobuf-java as third party library.

Root cause –

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

Vulnerability Details –

CVE-2022-3509

NVD statusNVD url
7.5 HIGHCVE-2022-3509

CVE-2022-3510

NVD statusNVD url
7.5 HIGHCVE-2022-3510

Solution –

You need to upgrade com.google.protobuf.protobuf-java dependency in your application. You need to use version greater than 3.21.7

However if your GCP or BigQuery set up in the application is currently not supporting this version then you need to use version greater than 3.19.6 in 3.19.x version availability.

<dependency>
  <groupId>com.google.protobuf</groupId>
  <artifactId>protobuf-java</artifactId>
  <version>3.23.4</version>
</dependency>

Do you have another solution?

The solution provided above is based on the scenario our one of the developers/contributors faced. If you faced the same issue and found any other root cause then please share your solution in the comment section below. We will add the solution in this article.

Leave a Reply

Your email address will not be published. Required fields are marked *