Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-3509
CVE-2022-3509:
Java vulnerability analysis and mitigation
Overview
CVE-2022-3509 is a vulnerability discovered in Google's protobuf-java core component, specifically affecting the TextFormat parsing functionality. The vulnerability affects multiple versions of protobuf-java and protobuf-javalite, including versions 3.16.0 to 3.16.3, 3.19.0 to 3.19.6, 3.20.0 to 3.20.3, and 3.21.0 to 3.21.7 (NVD).
Technical details
The vulnerability occurs when inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields are processed. The issue lies in the TextFormat parser's handling of recurring sub-messages, where instead of building directly from text, it creates a new sub-message and merges the fully formed message into the existing field (GitHub Commit).
Impact
When exploited, this vulnerability can lead to a Denial of Service (DoS) condition in applications using the affected versions of protobuf-java (Red Hat CVE).
Mitigation and workarounds
The issue has been addressed in subsequent releases of protobuf-java. Users are advised to upgrade to the fixed versions: 3.16.3, 3.19.6, 3.20.3, or 3.21.7 for protobuf-java and protobuf-javalite (NVD).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management