csaf2cusa/cvrfs/2022/cvrf-openEuler-SA-2022-2011.xml

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
	<DocumentTitle xml:lang="en">An update for protobuf is now available for openEuler-20.03-LTS-SP3</DocumentTitle>
	<DocumentType>Security Advisory</DocumentType>
	<DocumentPublisher Type="Vendor">
		<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
		<IssuingAuthority>openEuler security committee</IssuingAuthority>
	</DocumentPublisher>
	<DocumentTracking>
		<Identification>
			<ID>openEuler-SA-2022-2011</ID>
		</Identification>
		<Status>Final</Status>
		<Version>1.0</Version>
		<RevisionHistory>
			<Revision>
				<Number>1.0</Number>
				<Date>2022-10-21</Date>
				<Description>Initial</Description>
			</Revision>
		</RevisionHistory>
		<InitialReleaseDate>2022-10-21</InitialReleaseDate>
		<CurrentReleaseDate>2022-10-21</CurrentReleaseDate>
		<Generator>
			<Engine>openEuler SA Tool V1.0</Engine>
			<Date>2022-10-21</Date>
		</Generator>
	</DocumentTracking>
	<DocumentNotes>
		<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">protobuf security update</Note>
		<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for protobuf is now available for openEuler-20.03-LTS-SP3.</Note>
		<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">

Security Fix(es):

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.(CVE-2022-1941)

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.(CVE-2022-3171)</Note>
		<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for protobuf is now available for openEuler-20.03-LTS-SP3.

openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
		<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
		<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">protobuf</Note>
	</DocumentNotes>
	<DocumentReferences>
		<Reference Type="Self">
			<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2011</URL>
		</Reference>
		<Reference Type="openEuler CVE">
			<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-1941</URL>
			<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-3171</URL>
		</Reference>
		<Reference Type="Other">
			<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-1941</URL>
			<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-3171</URL>
		</Reference>
	</DocumentReferences>
	<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
		<Branch Type="Product Name" Name="openEuler">
			<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="aarch64">
			<FullProductName ProductID="protobuf-compiler-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-compiler-3.14.0-5.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="protobuf-debuginfo-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-debuginfo-3.14.0-5.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="protobuf-devel-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-devel-3.14.0-5.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="protobuf-debugsource-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-debugsource-3.14.0-5.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="protobuf-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-3.14.0-5.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="protobuf-lite-devel-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-lite-devel-3.14.0-5.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="protobuf-lite-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-lite-3.14.0-5.oe1.aarch64.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="noarch">
			<FullProductName ProductID="protobuf-parent-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-parent-3.14.0-5.oe1.noarch.rpm</FullProductName>
			<FullProductName ProductID="python3-protobuf-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">python3-protobuf-3.14.0-5.oe1.noarch.rpm</FullProductName>
			<FullProductName ProductID="protobuf-bom-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-bom-3.14.0-5.oe1.noarch.rpm</FullProductName>
			<FullProductName ProductID="protobuf-javadoc-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-javadoc-3.14.0-5.oe1.noarch.rpm</FullProductName>
			<FullProductName ProductID="protobuf-java-util-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-java-util-3.14.0-5.oe1.noarch.rpm</FullProductName>
			<FullProductName ProductID="protobuf-java-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-java-3.14.0-5.oe1.noarch.rpm</FullProductName>
			<FullProductName ProductID="protobuf-javalite-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-javalite-3.14.0-5.oe1.noarch.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="src">
			<FullProductName ProductID="protobuf-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-3.14.0-5.oe1.src.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="x86_64">
			<FullProductName ProductID="protobuf-devel-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-devel-3.14.0-5.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="protobuf-lite-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-lite-3.14.0-5.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="protobuf-debuginfo-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-debuginfo-3.14.0-5.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="protobuf-lite-devel-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-lite-devel-3.14.0-5.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="protobuf-debugsource-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-debugsource-3.14.0-5.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="protobuf-compiler-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-compiler-3.14.0-5.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="protobuf-3.14.0-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">protobuf-3.14.0-5.oe1.x86_64.rpm</FullProductName>
		</Branch>
	</ProductTree>
	<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
		<Notes>
			<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.</Note>
		</Notes>
		<ReleaseDate>2022-10-21</ReleaseDate>
		<CVE>CVE-2022-1941</CVE>
		<ProductStatuses>
			<Status Type="Fixed">
				<ProductID>openEuler-20.03-LTS-SP3</ProductID>
			</Status>
		</ProductStatuses>
		<Threats>
			<Threat Type="Impact">
				<Description>High</Description>
			</Threat>
		</Threats>
		<CVSSScoreSets>
			<ScoreSet>
				<BaseScore>7.5</BaseScore>
				<Vector>AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</Vector>
			</ScoreSet>
		</CVSSScoreSets>
		<Remediations>
			<Remediation Type="Vendor Fix">
				<Description>protobuf security update</Description>
				<DATE>2022-10-21</DATE>
				<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2011</URL>
			</Remediation>
		</Remediations>
	</Vulnerability>
	<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
		<Notes>
			<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.</Note>
		</Notes>
		<ReleaseDate>2022-10-21</ReleaseDate>
		<CVE>CVE-2022-3171</CVE>
		<ProductStatuses>
			<Status Type="Fixed">
				<ProductID>openEuler-20.03-LTS-SP3</ProductID>
			</Status>
		</ProductStatuses>
		<Threats>
			<Threat Type="Impact">
				<Description>High</Description>
			</Threat>
		</Threats>
		<CVSSScoreSets>
			<ScoreSet>
				<BaseScore>7.5</BaseScore>
				<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
			</ScoreSet>
		</CVSSScoreSets>
		<Remediations>
			<Remediation Type="Vendor Fix">
				<Description>protobuf security update</Description>
				<DATE>2022-10-21</DATE>
				<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2011</URL>
			</Remediation>
		</Remediations>
	</Vulnerability>
</cvrfdoc>