ID

VAR-202211-1832


CVE

CVE-2022-3509


TITLE

Google  of  protobuf-java  and  protobuf-javalite  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-023307

DESCRIPTION

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Google of protobuf-java and protobuf-javalite Exists in unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state. IBM WebSphere Application Server Liberty is a Java application server built on the Open Liberty project by International Business Machines (IBM). There is a denial of service vulnerability in IBM WebSphere Application Server Liberty. The vulnerability is caused by a flaw in the parsing program for text format data. Attackers can use the vulnerability to launch a denial of service attack. This has been addressed. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss EAP 7.4.10 XP 4.0.0.GA security release Advisory ID: RHSA-2023:1855-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2023:1855 Issue date: 2023-04-18 CVE Names: CVE-2022-1278 CVE-2022-3509 CVE-2022-3510 ===================================================================== 1. Summary: JBoss EAP XP 4.0.0.GA security release on the EAP 7.4.10 base is now available. See references for release notes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This is a cumulative patch release zip for the JBoss EAP XP 4.0.0 runtime distribution for use with EAP 7.4.10. Security Fix(es): * protobuf-java: Textformat parsing issue leads to DoS (CVE-2022-3509) * protobuf-java: Message-Type Extensions parsing issue leads to DoS (CVE-2022-3510) * WildFly: possible information disclosure (CVE-2022-1278) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2073401 - CVE-2022-1278 WildFly: possible information disclosure 2184161 - CVE-2022-3509 protobuf-java: Textformat parsing issue leads to DoS 2184176 - CVE-2022-3510 protobuf-java: Message-Type Extensions parsing issue leads to DoS 5. JIRA issues fixed (https://issues.jboss.org/): JBEAP-24683 - EAP XP 4.0.0.GA for EAP 7.4.10 6. References: https://access.redhat.com/security/cve/CVE-2022-1278 https://access.redhat.com/security/cve/CVE-2022-3509 https://access.redhat.com/security/cve/CVE-2022-3510 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/red_hat_jboss_eap_xp_4.0.0_release_notes/index https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/jboss_eap_xp_4.0_upgrade_and_migration_guide/index https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/using_jboss_eap_xp_4.0.0/index 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZEgrsNzjgjWX9erEAQjO7w/8CJVAm7CegEfpQTIiZZNLy0FZvR6VtmJm yTUrhH5z5X/DquTmCvxhnmURumHAea5QBtb9Cl1vLPVtX7RAV8Ej+IlqyFr+bjtD 8HZP6eVeYuf+AGa1lVAM+mG0vkdTLRO5suijzzaPoqdORJ+emYYyUytAPkkuSIK6 ofRWIWaslyjcZyMAwPVPd63VYjwKOQztOg7tCH/66gL0TjZw/6v6stChKmz4+Kp5 2CGmozBUHTgwUUPNDIz/KzxgVilZHlk0ADQ5gjlTIa5HLmntqUytgALL9/04fflF JNqNrRG1OMlmS105nhE/OGPWOSwy6s8hBvIvTz8jwNkAK4BToF2E1RZ98Mj415Uc PAwl6EMNRAHzB1JHMik1XCUu9EbuSSmk/gGsrx6dkQ4czlhcZ8NwkSvNtRq7sGh7 q2FYyg2CvfRLPcDD9mgc20Rbp7oCcsA485l6+2eRfJH/yTq9leF/B1P2wer7a9p3 Z/RNu6oV7KHvnD4ZHE1Z6aB5gdEzSY708b8kV/qj1I5taK1cavZnmLyahxa9/wqg 9ZyH5wHGGHb/buQq9I630J73/nN5pySeJ+8RzyNqfGWV3Ob1MdBEL1PIyBjLNS+V BxTnlZm10/vuumx0/qYVs/9OpXQ0iJBhjPJRSEu9/xA9gsOU0ooVTOvHY12VRDpT wQ2MBld+FLs= =cQr5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . The purpose of this text-only errata is to inform you about the security issues fixed in this release. Description: This release of Red Hat Integration - Service Registry 2.4.3 GA includes the following security fixes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202301-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: protobuf-java: Denial of Service Date: January 11, 2023 Bugs: #876903 ID: 202301-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in protobuf-java which could result in denial of service. Background ========== protobuf-java contains the Java bindings for Google's Protocol Buffers. Impact ====== Crafted input can trigger a denial of service via long garbage collection pauses. Workaround ========== There is no known workaround at this time. Resolution ========== All protobuf-java users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/protobuf-java-3.20.3" References ========== [ 1 ] CVE-2022-3171 https://nvd.nist.gov/vuln/detail/CVE-2022-3171 [ 2 ] CVE-2022-3509 https://nvd.nist.gov/vuln/detail/CVE-2022-3509 [ 3 ] CVE-2022-3510 https://nvd.nist.gov/vuln/detail/CVE-2022-3510 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202301-09 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 2.52

sources: NVD: CVE-2022-3509 // JVNDB: JVNDB-2022-023307 // CNVD: CNVD-2022-85327 // VULMON: CVE-2022-3509 // PACKETSTORM: 172014 // PACKETSTORM: 173162 // PACKETSTORM: 170465

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-85327

AFFECTED PRODUCTS

vendor:googlemodel:protobuf-javascope:gteversion:3.16.0

Trust: 1.0

vendor:googlemodel:protobuf-javascope:gteversion:3.19.0

Trust: 1.0

vendor:googlemodel:protobuf-javalitescope:ltversion:3.16.3

Trust: 1.0

vendor:googlemodel:protobuf-javalitescope:gteversion:3.21.0

Trust: 1.0

vendor:googlemodel:protobuf-javalitescope:ltversion:3.21.7

Trust: 1.0

vendor:googlemodel:protobuf-javalitescope:ltversion:3.20.3

Trust: 1.0

vendor:googlemodel:protobuf-javascope:ltversion:3.16.3

Trust: 1.0

vendor:googlemodel:protobuf-javascope:ltversion:3.21.7

Trust: 1.0

vendor:googlemodel:protobuf-javascope:ltversion:3.20.3

Trust: 1.0

vendor:googlemodel:protobuf-javalitescope:gteversion:3.16.0

Trust: 1.0

vendor:googlemodel:protobuf-javalitescope:ltversion:3.19.6

Trust: 1.0

vendor:googlemodel:protobuf-javalitescope:gteversion:3.17.0

Trust: 1.0

vendor:googlemodel:protobuf-javalitescope:gteversion:3.20.0

Trust: 1.0

vendor:googlemodel:protobuf-javascope:gteversion:3.21.0

Trust: 1.0

vendor:googlemodel:protobuf-javascope:gteversion:3.20.0

Trust: 1.0

vendor:googlemodel:protobuf-javascope:ltversion:3.19.6

Trust: 1.0

vendor:googlemodel:protobuf-javascope: - version: -

Trust: 0.8

vendor:googlemodel:protobuf-javalitescope: - version: -

Trust: 0.8

vendor:ibmmodel:websphere application server libertyscope:gteversion:21.0.0.2,<=22.0.0.12

Trust: 0.6

sources: CNVD: CNVD-2022-85327 // JVNDB: JVNDB-2022-023307 // NVD: CVE-2022-3509

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-3509
value: HIGH

Trust: 1.0

cve-coordination@google.com: CVE-2022-3509
value: HIGH

Trust: 1.0

NVD: CVE-2022-3509
value: HIGH

Trust: 0.8

CNVD: CNVD-2022-85327
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202211-3666
value: HIGH

Trust: 0.6

CNVD: CNVD-2022-85327
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2022-3509
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 2.0

NVD: CVE-2022-3509
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-85327 // JVNDB: JVNDB-2022-023307 // CNNVD: CNNVD-202211-3666 // NVD: CVE-2022-3509 // NVD: CVE-2022-3509

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:Lack of information (CWE-noinfo) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-023307 // NVD: CVE-2022-3509

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202211-3666

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202211-3666

PATCH

title:Patch for IBM WebSphere Application Server Liberty Denial of Service Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/364641

Trust: 0.6

title:IBM WebSphere Application Server Liberty Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=217662

Trust: 0.6

title:IBM: Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Google protobuf-java (CVE-2022-3171, CVE-2022-3509)url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=5d2ff4dcac681638b2b80362ab8e2e6f

Trust: 0.1

sources: CNVD: CNVD-2022-85327 // VULMON: CVE-2022-3509 // CNNVD: CNNVD-202211-3666

EXTERNAL IDS

db:NVDid:CVE-2022-3509

Trust: 4.2

db:AUSCERTid:ESB-2022.6205

Trust: 1.2

db:JVNDBid:JVNDB-2022-023307

Trust: 0.8

db:PACKETSTORMid:170465

Trust: 0.7

db:CNVDid:CNVD-2022-85327

Trust: 0.6

db:AUSCERTid:ESB-2023.3325

Trust: 0.6

db:AUSCERTid:ESB-2023.3663

Trust: 0.6

db:AUSCERTid:ESB-2023.2306

Trust: 0.6

db:AUSCERTid:ESB-2023.1432

Trust: 0.6

db:CNNVDid:CNNVD-202211-3666

Trust: 0.6

db:VULMONid:CVE-2022-3509

Trust: 0.1

db:PACKETSTORMid:172014

Trust: 0.1

db:PACKETSTORMid:173162

Trust: 0.1

sources: CNVD: CNVD-2022-85327 // VULMON: CVE-2022-3509 // JVNDB: JVNDB-2022-023307 // PACKETSTORM: 172014 // PACKETSTORM: 173162 // PACKETSTORM: 170465 // CNNVD: CNNVD-202211-3666 // NVD: CVE-2022-3509

REFERENCES

url:https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9

Trust: 2.4

url:https://www.auscert.org.au/bulletins/esb-2022.6205

Trust: 1.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-3509

Trust: 1.1

url:https://packetstormsecurity.com/files/170465/gentoo-linux-security-advisory-202301-09.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.2306

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.1432

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.3325

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-3509/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.3663

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2022-3510

Trust: 0.3

url:https://bugzilla.redhat.com/):

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-3510

Trust: 0.2

url:https://access.redhat.com/articles/11258

Trust: 0.2

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.2

url:https://access.redhat.com/security/team/contact/

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-3509

Trust: 0.2

url:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-is-vulnerable-to-a-denial-of-service-due-to-google-protobuf-java-cve-2022-3171-cve-2022-3509/

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/red_hat_jboss_eap_xp_4.0.0_release_notes/index

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-1278

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/jboss_eap_xp_4.0_upgrade_and_migration_guide/index

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/using_jboss_eap_xp_4.0.0/index

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-1278

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:1855

Trust: 0.1

url:https://issues.jboss.org/):

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-4742

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-25881

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-25881

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-45787

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-46877

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2023-28867

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-28867

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-3782

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:3815

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-40152

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-3782

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-45787

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-46877

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-40152

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-4742

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-3171

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://security.gentoo.org/glsa/202301-09

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

sources: CNVD: CNVD-2022-85327 // VULMON: CVE-2022-3509 // JVNDB: JVNDB-2022-023307 // PACKETSTORM: 172014 // PACKETSTORM: 173162 // PACKETSTORM: 170465 // CNNVD: CNNVD-202211-3666 // NVD: CVE-2022-3509

CREDITS

Red Hat

Trust: 0.2

sources: PACKETSTORM: 172014 // PACKETSTORM: 173162

SOURCES

db:CNVDid:CNVD-2022-85327
db:VULMONid:CVE-2022-3509
db:JVNDBid:JVNDB-2022-023307
db:PACKETSTORMid:172014
db:PACKETSTORMid:173162
db:PACKETSTORMid:170465
db:CNNVDid:CNNVD-202211-3666
db:NVDid:CVE-2022-3509

LAST UPDATE DATE

2024-08-14T12:54:20.269000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-85327date:2022-12-06T00:00:00
db:JVNDBid:JVNDB-2022-023307date:2023-11-28T03:25:00
db:CNNVDid:CNNVD-202211-3666date:2023-06-28T00:00:00
db:NVDid:CVE-2022-3509date:2022-12-15T16:57:53.723

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-85327date:2022-12-06T00:00:00
db:JVNDBid:JVNDB-2022-023307date:2023-11-28T00:00:00
db:PACKETSTORMid:172014date:2023-04-26T14:56:37
db:PACKETSTORMid:173162date:2023-06-28T03:10:54
db:PACKETSTORMid:170465date:2023-01-11T16:02:57
db:CNNVDid:CNNVD-202211-3666date:2022-11-29T00:00:00
db:NVDid:CVE-2022-3509date:2022-12-12T13:15:14.607