CVE-2021-22569: 
Java vulnerability analysis and mitigation

A potential Denial of Service (DoS) vulnerability (CVE-2021-22569) was discovered in protobuf-java affecting all versions prior to 3.16.1, 3.18.2, and 3.19.2. The vulnerability was discovered through OSS-Fuzz and affects Java Protobufs (including Kotlin and JRuby), while Protobuf 'javalite' users (typically Android) are not affected (OSS-Security).

The vulnerability stems from an implementation weakness in how unknown fields are parsed in Java. The issue allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that they would be processed out of order. The vulnerability has been assigned a CVSS Score of 7.5 (High) (OSS-Security).

When exploited, a small malicious payload (~800 KB) can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated garbage collection (GC) pauses, leading to a denial of service condition (OSS-Security).

The recommended mitigation is to update to the latest available versions of the affected packages: protobuf-java (3.16.1, 3.18.2, 3.19.2), protobuf-kotlin (3.18.2, 3.19.2), or google-protobuf [JRuby gem] (3.19.2). These versions contain the necessary fixes to address the vulnerability (OSS-Security).