CVE-2022-1941: Out of Memory issue in ProtocolBuffers for cpp and python

Q: What is the severity of CVE-2022-1941?

CVE-2022-1941 is rated as moderate severity due to its potential to cause denial of service (DoS) by triggering out of memory conditions.

Q: How do I fix CVE-2022-1941?

To mitigate CVE-2022-1941, upgrade Protocol Buffers to version 3.20.2 or 4.21.6 and ensure your environment does not use the affected versions.

Q: Which versions are affected by CVE-2022-1941?

CVE-2022-1941 affects Protocol Buffers versions from 3.0.0 up to 3.18.3, including specific ranges between versions up to 4.21.6.

Q: What type of vulnerability is CVE-2022-1941?

CVE-2022-1941 is a message parsing and memory management vulnerability impacting both C++ and Python implementations of Protocol Buffers.

Q: What services are at risk from CVE-2022-1941?

Services utilizing the vulnerable installations of Protocol Buffers in C++ or Python are at risk of experiencing denial of service due to this vulnerability.

Published Sep 22, 2022

Updated

Summary

A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message, which could lead to a denial of service (DoS) on services using the libraries.

Reporter: ClusterFuzz

Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.

Severity & Impact As scored by google Medium 5.7 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Asscored byt NIST High 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

A small (~500 KB) malicious payload can be constructed which causes the running service to allocate more than 3GB of RAM.

Proof of Concept

For reproduction details, please refer to the unit test that identifies the specific inputs that exercise this parsing weakness.

Mitigation / Patching

Please update to the latest available versions of the following packages: - protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6) - protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)

Other sources

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

— MITRE

Out of Memory issue in ProtocolBuffers for cpp and python

— Microsoft

Affected Software

37 affected componentsFixes available

pip/protobuf>=4.0.0<4.21.6

4.21.6

pip/protobuf>=3.20.0<3.20.2

3.20.2

pip/protobuf>=3.19.0<3.19.5

3.19.5

pip/protobuf<3.18.3

3.18.3

Google protobuf-cpp<3.18.3

Google protobuf-cpp>=3.19.0<3.19.5

Google protobuf-cpp>=3.20.0<3.20.2

Google protobuf-cpp>=3.21.0<3.21.6

Google protobuf-python<3.18.3

Google protobuf-python>=3.19.0<3.19.5

Google protobuf-python>=3.20.0<3.20.2

Google protobuf-python>=4.0.0<4.21.6

Fedoraproject Fedora=36

Fedoraproject Fedora=37

Debian Debian Linux=10.0

IBM Watson Studio on Cloud Pak for Data<=4.0

IBM Watson Studio on Cloud Pak for Data<=5.0

Microsoft azl3 pytorch 2.2.2-2

CVE-2022-1941: Out of Memory issue in ProtocolBuffers for cpp and python

Other sources

Affected Software

Event History

Parent advisories

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2022-1941?

How do I fix CVE-2022-1941?

Which versions are affected by CVE-2022-1941?

What type of vulnerability is CVE-2022-1941?

What services are at risk from CVE-2022-1941?

Company

Resources

Contact