A potential Denial of Service issue in protobuf-java

Summary

A potential Denial of Service issue in protobuf-java was discovered in the
parsing procedure for binary data.

Affected versions: All versions of Java Protobufs (including Kotlin and JRuby)
prior to the versions listed below. Protobuf “javalite” users (typically
Android) are not affected.

Severity

High - An implementation weakness in how unknown fields are parsed in
Java. A small (~800 KB) malicious payload can occupy the parser for several
minutes by creating large numbers of short-lived objects that cause frequent,
repeated GC pauses.

Proof of Concept

For reproduction details, please refer to the oss-fuzz issue that identifies
the specific inputs that exercise this parsing weakness.

Remediation and Mitigation

Please update to the latest available versions of the following packages:

• protobuf-java (3.16.1, 3.18.2, 3.19.2)
• protobuf-kotlin (3.18.2, 3.19.2)
• google-protobuf [JRuby gem only] (3.19.2)