CVE-2022-3171: 
IBM Db2 vulnerability analysis and mitigation

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 was discovered in October 2022. The vulnerability, identified as CVE-2022-3171, affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime (GitHub Advisory).

The vulnerability occurs in the parsing procedure for binary and text format data. When processing input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields, objects are converted back-and-forth between mutable and immutable forms. The CVSS v3.1 base score is 7.5 (HIGH) according to NVD, with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while Google Inc. assessed it as 4.3 (MEDIUM) with vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability can result in denial of service attacks through potentially long garbage collection pauses. This affects the availability of systems using the vulnerable versions of protobuf-java, potentially causing service disruptions (GitHub Advisory, Gentoo Security).

Users are recommended to update to the fixed versions: protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3), protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3), protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3), protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3), and google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6). The fix affects both the Java runtime (full and lite) and the generated code, requiring regeneration of any checked-in generated code using the new version (GitHub Advisory).