CVE-2022-3510: 
Java vulnerability analysis and mitigation

A parsing issue was discovered in Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6, and 3.16.3. The vulnerability (CVE-2022-3510) involves inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields, which causes objects to be converted back-and-forth between mutable and immutable forms (Ubuntu CVE, RedHat CVE).

The vulnerability affects the protobuf-java core implementation, specifically in the handling of Message-Type Extensions. When processing inputs with multiple instances of non-repeated embedded messages containing repeated or unknown fields, the system performs excessive conversions between mutable and immutable forms. This can result in extended garbage collection pauses, potentially leading to service degradation. The issue has been assigned a CVSS 3.1 base score of 7.5 (High), with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Ubuntu CVE).

The primary impact of this vulnerability is a potential denial of service (DoS) condition. The excessive garbage collection pauses caused by the back-and-forth conversion between mutable and immutable forms can significantly impact system performance and availability. This affects the availability aspect of the system while maintaining confidentiality and integrity (RedHat Advisory).

The recommended mitigation is to update to protobuf-java versions 3.21.7, 3.20.3, 3.19.6, or 3.16.3 or later. The fix involves changes to make message-type extensions merge from wire-format instead of building up instances and merging afterwards, which provides better performance. For some systems, such as Ubuntu stable releases, the changes required to fix this issue were considered too intrusive to be backported (Ubuntu CVE, Protobuf Commit).