var-202211-1832
Vulnerability from variot
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Google of protobuf-java and protobuf-javalite Exists in unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state. IBM WebSphere Application Server Liberty is a Java application server built on the Open Liberty project by International Business Machines (IBM).
There is a denial of service vulnerability in IBM WebSphere Application Server Liberty. The vulnerability is caused by a flaw in the parsing program for text format data. Attackers can use the vulnerability to launch a denial of service attack. This has been addressed. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss EAP 7.4.10 XP 4.0.0.GA security release Advisory ID: RHSA-2023:1855-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2023:1855 Issue date: 2023-04-18 CVE Names: CVE-2022-1278 CVE-2022-3509 CVE-2022-3510 =====================================================================
- Summary:
JBoss EAP XP 4.0.0.GA security release on the EAP 7.4.10 base is now available. See references for release notes.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Description:
This is a cumulative patch release zip for the JBoss EAP XP 4.0.0 runtime distribution for use with EAP 7.4.10.
Security Fix(es):
-
protobuf-java: Textformat parsing issue leads to DoS (CVE-2022-3509)
-
protobuf-java: Message-Type Extensions parsing issue leads to DoS (CVE-2022-3510)
-
WildFly: possible information disclosure (CVE-2022-1278)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2073401 - CVE-2022-1278 WildFly: possible information disclosure 2184161 - CVE-2022-3509 protobuf-java: Textformat parsing issue leads to DoS 2184176 - CVE-2022-3510 protobuf-java: Message-Type Extensions parsing issue leads to DoS
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-24683 - EAP XP 4.0.0.GA for EAP 7.4.10
- References:
https://access.redhat.com/security/cve/CVE-2022-1278 https://access.redhat.com/security/cve/CVE-2022-3509 https://access.redhat.com/security/cve/CVE-2022-3510 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/red_hat_jboss_eap_xp_4.0.0_release_notes/index https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/jboss_eap_xp_4.0_upgrade_and_migration_guide/index https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/using_jboss_eap_xp_4.0.0/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBZEgrsNzjgjWX9erEAQjO7w/8CJVAm7CegEfpQTIiZZNLy0FZvR6VtmJm yTUrhH5z5X/DquTmCvxhnmURumHAea5QBtb9Cl1vLPVtX7RAV8Ej+IlqyFr+bjtD 8HZP6eVeYuf+AGa1lVAM+mG0vkdTLRO5suijzzaPoqdORJ+emYYyUytAPkkuSIK6 ofRWIWaslyjcZyMAwPVPd63VYjwKOQztOg7tCH/66gL0TjZw/6v6stChKmz4+Kp5 2CGmozBUHTgwUUPNDIz/KzxgVilZHlk0ADQ5gjlTIa5HLmntqUytgALL9/04fflF JNqNrRG1OMlmS105nhE/OGPWOSwy6s8hBvIvTz8jwNkAK4BToF2E1RZ98Mj415Uc PAwl6EMNRAHzB1JHMik1XCUu9EbuSSmk/gGsrx6dkQ4czlhcZ8NwkSvNtRq7sGh7 q2FYyg2CvfRLPcDD9mgc20Rbp7oCcsA485l6+2eRfJH/yTq9leF/B1P2wer7a9p3 Z/RNu6oV7KHvnD4ZHE1Z6aB5gdEzSY708b8kV/qj1I5taK1cavZnmLyahxa9/wqg 9ZyH5wHGGHb/buQq9I630J73/nN5pySeJ+8RzyNqfGWV3Ob1MdBEL1PIyBjLNS+V BxTnlZm10/vuumx0/qYVs/9OpXQ0iJBhjPJRSEu9/xA9gsOU0ooVTOvHY12VRDpT wQ2MBld+FLs= =cQr5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . The purpose of this text-only errata is to inform you about the security issues fixed in this release. Description:
This release of Red Hat Integration - Service Registry 2.4.3 GA includes the following security fixes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202301-09
https://security.gentoo.org/
Severity: Low Title: protobuf-java: Denial of Service Date: January 11, 2023 Bugs: #876903 ID: 202301-09
Synopsis
A vulnerability has been discovered in protobuf-java which could result in denial of service.
Background
protobuf-java contains the Java bindings for Google's Protocol Buffers.
Impact
Crafted input can trigger a denial of service via long garbage collection pauses.
Workaround
There is no known workaround at this time.
Resolution
All protobuf-java users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/protobuf-java-3.20.3"
References
[ 1 ] CVE-2022-3171 https://nvd.nist.gov/vuln/detail/CVE-2022-3171 [ 2 ] CVE-2022-3509 https://nvd.nist.gov/vuln/detail/CVE-2022-3509 [ 3 ] CVE-2022-3510 https://nvd.nist.gov/vuln/detail/CVE-2022-3510
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202301-09
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-202211-1832", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "protobuf-java", scope: "gte", trust: 1, vendor: "google", version: "3.19.0", }, { model: "protobuf-java", scope: "lt", trust: 1, vendor: "google", version: "3.21.7", }, { model: "protobuf-java", scope: "gte", trust: 1, vendor: "google", version: "3.20.0", }, { model: "protobuf-javalite", scope: "lt", trust: 1, vendor: "google", version: "3.21.7", }, { model: "protobuf-java", scope: "lt", trust: 1, vendor: "google", version: "3.16.3", }, { model: "protobuf-java", scope: "gte", trust: 1, vendor: "google", version: "3.21.0", }, { model: "protobuf-javalite", scope: "gte", trust: 1, vendor: "google", version: "3.20.0", }, { model: "protobuf-java", scope: "gte", trust: 1, vendor: "google", version: "3.16.0", }, { model: "protobuf-java", scope: "lt", trust: 1, vendor: "google", version: "3.20.3", }, { model: "protobuf-javalite", scope: "gte", trust: 1, vendor: "google", version: "3.17.0", }, { model: "protobuf-javalite", scope: "lt", trust: 1, vendor: "google", version: "3.16.3", }, { model: "protobuf-javalite", scope: "gte", trust: 1, vendor: "google", version: "3.21.0", }, { model: "protobuf-javalite", scope: "gte", trust: 1, vendor: "google", version: "3.16.0", }, { model: "protobuf-javalite", scope: "lt", trust: 1, vendor: "google", version: "3.20.3", }, { model: "protobuf-java", scope: "lt", trust: 1, vendor: "google", version: "3.19.6", }, { model: "protobuf-javalite", scope: "lt", trust: 1, vendor: "google", version: "3.19.6", }, { model: "protobuf-java", scope: null, trust: 0.8, vendor: "google", version: null, }, { model: "protobuf-javalite", scope: null, trust: 0.8, vendor: "google", version: null, }, { model: "websphere application server liberty", scope: "gte", trust: 0.6, vendor: "ibm", version: "21.0.0.2,<=22.0.0.12", }, ], sources: [ { db: "CNVD", id: "CNVD-2022-85327", }, { db: "JVNDB", id: "JVNDB-2022-023307", }, { db: "NVD", id: "CVE-2022-3509", }, ], }, configurations: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", children: { "@container": "@list", }, cpe_match: { "@container": "@list", }, data: { "@container": "@list", }, nodes: { "@container": "@list", }, }, data: [ { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "3.19.6", versionStartIncluding: "3.17.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "3.20.3", versionStartIncluding: "3.20.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "3.21.7", versionStartIncluding: "3.21.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "3.21.7", versionStartIncluding: "3.21.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "3.20.3", versionStartIncluding: "3.20.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "3.16.3", versionStartIncluding: "3.16.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "3.19.6", versionStartIncluding: "3.19.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "3.16.3", versionStartIncluding: "3.16.0", vulnerable: true, }, ], operator: "OR", }, ], }, ], sources: [ { db: "NVD", id: "CVE-2022-3509", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Red Hat", sources: [ { db: "PACKETSTORM", id: "172014", }, { db: "PACKETSTORM", id: "173162", }, ], trust: 0.2, }, cve: "CVE-2022-3509", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", author: "CNVD", availabilityImpact: "PARTIAL", baseScore: 4, confidentialityImpact: "NONE", exploitabilityScore: 8, id: "CNVD-2022-85327", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 0.6, vectorString: "AV:N/AC:L/Au:S/C:N/I:N/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "NVD", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", exploitabilityScore: 3.9, impactScore: 3.6, integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 2, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, { attackComplexity: "Low", attackVector: "Network", author: "NVD", availabilityImpact: "High", baseScore: 7.5, baseSeverity: "High", confidentialityImpact: "None", exploitabilityScore: null, id: "CVE-2022-3509", impactScore: null, integrityImpact: "None", privilegesRequired: "None", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, ], severity: [ { author: "NVD", id: "CVE-2022-3509", trust: 1.8, value: "HIGH", }, { author: "cve-coordination@google.com", id: "CVE-2022-3509", trust: 1, value: "HIGH", }, { author: "CNVD", id: "CNVD-2022-85327", trust: 0.6, value: "MEDIUM", }, { author: "CNNVD", id: "CNNVD-202211-3666", trust: 0.6, value: "HIGH", }, ], }, ], sources: [ { db: "CNVD", id: "CNVD-2022-85327", }, { db: "JVNDB", id: "JVNDB-2022-023307", }, { db: "NVD", id: "CVE-2022-3509", }, { db: "NVD", id: "CVE-2022-3509", }, { db: "CNNVD", id: "CNNVD-202211-3666", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Google of protobuf-java and protobuf-javalite Exists in unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state. IBM WebSphere Application Server Liberty is a Java application server built on the Open Liberty project by International Business Machines (IBM). \n\r\n\r\nThere is a denial of service vulnerability in IBM WebSphere Application Server Liberty. The vulnerability is caused by a flaw in the parsing program for text format data. Attackers can use the vulnerability to launch a denial of service attack. This has been addressed. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: Red Hat JBoss EAP 7.4.10 XP 4.0.0.GA security release\nAdvisory ID: RHSA-2023:1855-01\nProduct: Red Hat JBoss Enterprise Application Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2023:1855\nIssue date: 2023-04-18\nCVE Names: CVE-2022-1278 CVE-2022-3509 CVE-2022-3510 \n=====================================================================\n\n1. Summary:\n\nJBoss EAP XP 4.0.0.GA security release on the EAP 7.4.10 base is now\navailable. See references for release notes. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Description:\n\nThis is a cumulative patch release zip for the JBoss EAP XP 4.0.0 runtime\ndistribution for use with EAP 7.4.10. \n\nSecurity Fix(es):\n\n* protobuf-java: Textformat parsing issue leads to DoS (CVE-2022-3509)\n\n* protobuf-java: Message-Type Extensions parsing issue leads to DoS\n(CVE-2022-3510)\n\n* WildFly: possible information disclosure (CVE-2022-1278)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n3. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n2073401 - CVE-2022-1278 WildFly: possible information disclosure\n2184161 - CVE-2022-3509 protobuf-java: Textformat parsing issue leads to DoS\n2184176 - CVE-2022-3510 protobuf-java: Message-Type Extensions parsing issue leads to DoS\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-24683 - EAP XP 4.0.0.GA for EAP 7.4.10\n\n6. References:\n\nhttps://access.redhat.com/security/cve/CVE-2022-1278\nhttps://access.redhat.com/security/cve/CVE-2022-3509\nhttps://access.redhat.com/security/cve/CVE-2022-3510\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/red_hat_jboss_eap_xp_4.0.0_release_notes/index\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/jboss_eap_xp_4.0_upgrade_and_migration_guide/index\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/using_jboss_eap_xp_4.0.0/index\n\n7. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2023 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBZEgrsNzjgjWX9erEAQjO7w/8CJVAm7CegEfpQTIiZZNLy0FZvR6VtmJm\nyTUrhH5z5X/DquTmCvxhnmURumHAea5QBtb9Cl1vLPVtX7RAV8Ej+IlqyFr+bjtD\n8HZP6eVeYuf+AGa1lVAM+mG0vkdTLRO5suijzzaPoqdORJ+emYYyUytAPkkuSIK6\nofRWIWaslyjcZyMAwPVPd63VYjwKOQztOg7tCH/66gL0TjZw/6v6stChKmz4+Kp5\n2CGmozBUHTgwUUPNDIz/KzxgVilZHlk0ADQ5gjlTIa5HLmntqUytgALL9/04fflF\nJNqNrRG1OMlmS105nhE/OGPWOSwy6s8hBvIvTz8jwNkAK4BToF2E1RZ98Mj415Uc\nPAwl6EMNRAHzB1JHMik1XCUu9EbuSSmk/gGsrx6dkQ4czlhcZ8NwkSvNtRq7sGh7\nq2FYyg2CvfRLPcDD9mgc20Rbp7oCcsA485l6+2eRfJH/yTq9leF/B1P2wer7a9p3\nZ/RNu6oV7KHvnD4ZHE1Z6aB5gdEzSY708b8kV/qj1I5taK1cavZnmLyahxa9/wqg\n9ZyH5wHGGHb/buQq9I630J73/nN5pySeJ+8RzyNqfGWV3Ob1MdBEL1PIyBjLNS+V\nBxTnlZm10/vuumx0/qYVs/9OpXQ0iJBhjPJRSEu9/xA9gsOU0ooVTOvHY12VRDpT\nwQ2MBld+FLs=\n=cQr5\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. The purpose of this text-only\nerrata is to inform you about the security issues fixed in this release. Description:\n\nThis release of Red Hat Integration - Service Registry 2.4.3 GA includes\nthe following security fixes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202301-09\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Low\n Title: protobuf-java: Denial of Service\n Date: January 11, 2023\n Bugs: #876903\n ID: 202301-09\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nA vulnerability has been discovered in protobuf-java which could result\nin denial of service. \n\nBackground\n==========\n\nprotobuf-java contains the Java bindings for Google's Protocol Buffers. \n\nImpact\n======\n\nCrafted input can trigger a denial of service via long garbage\ncollection pauses. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll protobuf-java users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/protobuf-java-3.20.3\"\n\nReferences\n==========\n\n[ 1 ] CVE-2022-3171\n https://nvd.nist.gov/vuln/detail/CVE-2022-3171\n[ 2 ] CVE-2022-3509\n https://nvd.nist.gov/vuln/detail/CVE-2022-3509\n[ 3 ] CVE-2022-3510\n https://nvd.nist.gov/vuln/detail/CVE-2022-3510\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202301-09\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users' machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2023 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n", sources: [ { db: "NVD", id: "CVE-2022-3509", }, { db: "JVNDB", id: "JVNDB-2022-023307", }, { db: "CNVD", id: "CNVD-2022-85327", }, { db: "VULMON", id: "CVE-2022-3509", }, { db: "PACKETSTORM", id: "172014", }, { db: "PACKETSTORM", id: "173162", }, { db: "PACKETSTORM", id: "170465", }, ], trust: 2.52, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2022-3509", trust: 4.2, }, { db: "AUSCERT", id: "ESB-2022.6205", trust: 1.2, }, { db: "JVNDB", id: "JVNDB-2022-023307", trust: 0.8, }, { db: "PACKETSTORM", id: "170465", trust: 0.7, }, { db: "CNVD", id: "CNVD-2022-85327", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2023.3325", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2023.3663", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2023.2306", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2023.1432", trust: 0.6, }, { db: "CNNVD", id: "CNNVD-202211-3666", trust: 0.6, }, { db: "VULMON", id: "CVE-2022-3509", trust: 0.1, }, { db: "PACKETSTORM", id: "172014", trust: 0.1, }, { db: "PACKETSTORM", id: "173162", trust: 0.1, }, ], sources: [ { db: "CNVD", id: "CNVD-2022-85327", }, { db: "VULMON", id: "CVE-2022-3509", }, { db: "JVNDB", id: "JVNDB-2022-023307", }, { db: "PACKETSTORM", id: "172014", }, { db: "PACKETSTORM", id: "173162", }, { db: "PACKETSTORM", id: "170465", }, { db: "NVD", id: "CVE-2022-3509", }, { db: "CNNVD", id: "CNNVD-202211-3666", }, ], }, id: "VAR-202211-1832", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "CNVD", id: "CNVD-2022-85327", }, ], trust: 1.41666666, }, iot_taxonomy: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { category: [ "Network device", ], sub_category: null, trust: 0.6, }, ], sources: [ { db: "CNVD", id: "CNVD-2022-85327", }, ], }, last_update_date: "2023-12-18T11:03:47.536000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "Patch for IBM WebSphere Application Server Liberty Denial of Service Vulnerability", trust: 0.6, url: "https://www.cnvd.org.cn/patchinfo/show/364641", }, { title: "IBM WebSphere Application Server Liberty Security vulnerabilities", trust: 0.6, url: "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=217662", }, { title: "IBM: Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Google protobuf-java (CVE-2022-3171, CVE-2022-3509)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=5d2ff4dcac681638b2b80362ab8e2e6f", }, ], sources: [ { db: "CNVD", id: "CNVD-2022-85327", }, { db: "VULMON", id: "CVE-2022-3509", }, { db: "CNNVD", id: "CNNVD-202211-3666", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "NVD-CWE-noinfo", trust: 1, }, { problemtype: "Lack of information (CWE-noinfo) [NVD evaluation ]", trust: 0.8, }, ], sources: [ { db: "JVNDB", id: "JVNDB-2022-023307", }, { db: "NVD", id: "CVE-2022-3509", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 2.4, url: "https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9", }, { trust: 1.2, url: "https://www.auscert.org.au/bulletins/esb-2022.6205", }, { trust: 1.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-3509", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/170465/gentoo-linux-security-advisory-202301-09.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2023.2306", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2023.1432", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2023.3325", }, { trust: 0.6, url: "https://cxsecurity.com/cveshow/cve-2022-3509/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2023.3663", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-3510", }, { trust: 0.2, url: "https://bugzilla.redhat.com/):", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-3510", }, { trust: 0.2, url: "https://access.redhat.com/articles/11258", }, { trust: 0.2, url: "https://listman.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.2, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-3509", }, { trust: 0.1, url: "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-is-vulnerable-to-a-denial-of-service-due-to-google-protobuf-java-cve-2022-3171-cve-2022-3509/", }, { trust: 0.1, url: "https://access.redhat.com/security/updates/classification/#moderate", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/red_hat_jboss_eap_xp_4.0.0_release_notes/index", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-1278", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/jboss_eap_xp_4.0_upgrade_and_migration_guide/index", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/using_jboss_eap_xp_4.0.0/index", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-1278", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2023:1855", }, { trust: 0.1, url: "https://issues.jboss.org/):", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-4742", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-25881", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-25881", }, { trust: 0.1, url: "https://access.redhat.com/security/updates/classification/#important", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-45787", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-46877", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-28867", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-28867", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-3782", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2023:3815", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-40152", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-3782", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-45787", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-46877", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-40152", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-4742", }, { trust: 0.1, url: "https://creativecommons.org/licenses/by-sa/2.5", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-3171", }, { trust: 0.1, url: "https://security.gentoo.org/", }, { trust: 0.1, url: "https://security.gentoo.org/glsa/202301-09", }, { trust: 0.1, url: "https://bugs.gentoo.org.", }, ], sources: [ { db: "CNVD", id: "CNVD-2022-85327", }, { db: "VULMON", id: "CVE-2022-3509", }, { db: "JVNDB", id: "JVNDB-2022-023307", }, { db: "PACKETSTORM", id: "172014", }, { db: "PACKETSTORM", id: "173162", }, { db: "PACKETSTORM", id: "170465", }, { db: "NVD", id: "CVE-2022-3509", }, { db: "CNNVD", id: "CNNVD-202211-3666", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "CNVD", id: "CNVD-2022-85327", }, { db: "VULMON", id: "CVE-2022-3509", }, { db: "JVNDB", id: "JVNDB-2022-023307", }, { db: "PACKETSTORM", id: "172014", }, { db: "PACKETSTORM", id: "173162", }, { db: "PACKETSTORM", id: "170465", }, { db: "NVD", id: "CVE-2022-3509", }, { db: "CNNVD", id: "CNNVD-202211-3666", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2022-12-06T00:00:00", db: "CNVD", id: "CNVD-2022-85327", }, { date: "2023-11-28T00:00:00", db: "JVNDB", id: "JVNDB-2022-023307", }, { date: "2023-04-26T14:56:37", db: "PACKETSTORM", id: "172014", }, { date: "2023-06-28T03:10:54", db: "PACKETSTORM", id: "173162", }, { date: "2023-01-11T16:02:57", db: "PACKETSTORM", id: "170465", }, { date: "2022-12-12T13:15:14.607000", db: "NVD", id: "CVE-2022-3509", }, { date: "2022-11-29T00:00:00", db: "CNNVD", id: "CNNVD-202211-3666", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2022-12-06T00:00:00", db: "CNVD", id: "CNVD-2022-85327", }, { date: "2023-11-28T03:25:00", db: "JVNDB", id: "JVNDB-2022-023307", }, { date: "2022-12-15T16:57:53.723000", db: "NVD", id: "CVE-2022-3509", }, { date: "2023-06-28T00:00:00", db: "CNNVD", id: "CNNVD-202211-3666", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-202211-3666", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Google of protobuf-java and protobuf-javalite Vulnerability in", sources: [ { db: "JVNDB", id: "JVNDB-2022-023307", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "other", sources: [ { db: "CNNVD", id: "CNNVD-202211-3666", }, ], trust: 0.6, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.