CVE-2022-3509 (High) detected in multiple libraries - autoclosed

[mend-for-jackfan.us.kg]

CVE-2022-3509 - High Severity Vulnerability

Vulnerable Libraries - protobuf-java-3.7.0.jar, protobuf-java-3.14.0.jar, protobuf-java-3.3.1.jar, protobuf-java-3.17.2.jar, protobuf-java-3.13.0.jar, protobuf-java-3.11.4.jar

protobuf-java-3.7.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /dd-java-agent/instrumentation/akka-http-10.0/akka-http-10.0.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar

Dependency Hierarchy:

• zinc_2.12-1.3.5.jar (Root Library)
  • ❌ protobuf-java-3.7.0.jar (Vulnerable Library)

protobuf-java-3.14.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /utils/histograms/histograms.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.14.0/bb6430f70647fc349fffd1690ddb889dc3ea6699/protobuf-java-3.14.0.jar

Dependency Hierarchy:

• ❌ protobuf-java-3.14.0.jar (Vulnerable Library)

protobuf-java-3.3.1.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /dd-java-agent/instrumentation/grpc-1.5/grpc-1.5.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.3.1/e8964a2667e55d11a4505b329a4c34247663920b/protobuf-java-3.3.1.jar

Dependency Hierarchy:

• grpc-protobuf-1.5.0.jar (Root Library)
  • ❌ protobuf-java-3.3.1.jar (Vulnerable Library)

protobuf-java-3.17.2.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /dd-java-agent/instrumentation/grpc-1.5/grpc-1.5.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.17.2/d7eec2ad499b605f24d07f49bdcb41c801aafbfc/protobuf-java-3.17.2.jar

Dependency Hierarchy:

• grpc-protobuf-1.41.0.jar (Root Library)
  • ❌ protobuf-java-3.17.2.jar (Vulnerable Library)

protobuf-java-3.13.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /dd-smoke-tests/springboot-grpc/springboot-grpc.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.13.0/c913f2b6021ca9606efba56d1a0d03e91e725e4c/protobuf-java-3.13.0.jar

Dependency Hierarchy:

• grpc-protobuf-1.31.1.jar (Root Library)
  • ❌ protobuf-java-3.13.0.jar (Vulnerable Library)

protobuf-java-3.11.4.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /dd-java-agent/instrumentation/jdbc/jdbc.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.11.4/7ec0925cc3aef0335bbc7d57edfd42b0f86f8267/protobuf-java-3.11.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.11.4/7ec0925cc3aef0335bbc7d57edfd42b0f86f8267/protobuf-java-3.11.4.jar

Dependency Hierarchy:

• mysql-connector-java-8.0.23.jar (Root Library)
  • ❌ protobuf-java-3.11.4.jar (Vulnerable Library)

Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079

Found in base branch: master

Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-12-12

URL: CVE-2022-3509

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509

Release Date: 2022-12-12

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3

Direct dependency fix Resolution (org.scala-sbt:zinc_2.12): 1.4.0

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3

Direct dependency fix Resolution (io.grpc:grpc-protobuf): 1.48.0

Fix Resolution (com.google.protobuf:protobuf-java): 3.19.6

Direct dependency fix Resolution (io.grpc:grpc-protobuf): 1.41.3

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3

Direct dependency fix Resolution (io.grpc:grpc-protobuf): 1.31.2

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3

Direct dependency fix Resolution (mysql:mysql-connector-java): 8.0.29

---

⛑️ Automatic Remediation is available for this issue