Vulnerability Name:

CVE-2022-3171 (CCN-238394)

Assigned:2022-09-29
Published:2022-09-29
Updated:2023-04-27
Summary:protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for binary and text format data. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause long garbage collection pauses.
CVSS v3 Severity:4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Adjacent
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
5.7 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.0 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Adjacent
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.5 Medium (CCN CVSS v2 Vector: AV:A/AC:L/Au:S/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Adjacent_Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-3171

Source: XF
Type: UNKNOWN
protobufjava-cve20223171-dos(238394)

Source: CCN
Type: GitHub Advisory Database
protobuf-java has a potential Denial of Service issue

Source: CCN
Type: protobuf GIT Repository
Fix TextFormat parser (#10674)

Source: cve-coordination@google.com
Type: Third Party Advisory
cve-coordination@google.com

Source: cve-coordination@google.com
Type: Mailing List, Third Party Advisory
cve-coordination@google.com

Source: cve-coordination@google.com
Type: UNKNOWN
cve-coordination@google.com

Source: CCN
Type: Maven Repository Web site
Google protobuf-java core

Source: cve-coordination@google.com
Type: Third Party Advisory
cve-coordination@google.com

Source: CCN
Type: IBM Security Bulletin 6830297 (Answer Retrieval for Watson Discovery)
Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.8 and earlier

Source: CCN
Type: IBM Security Bulletin 6841889 (WebSphere Application Server Liberty)
IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Google protobuf-java (CVE-2022-3171, CVE-2022-3509)

Source: CCN
Type: IBM Security Bulletin 6846157 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including remote code execution in Apache Commons Text 1.9

Source: CCN
Type: IBM Security Bulletin 6848023 (Planning Analytics Workspace)
IBM Planning Analytics Workspace is affected by vulnerabilties

Source: CCN
Type: IBM Security Bulletin 6852221 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6853381 (MQ)
IBM MQ Blockchain bridge is vulnerable to a denial of service issue within protobuf-java core (CVE-2022-3171)

Source: CCN
Type: IBM Security Bulletin 6853441 (Robotic Process Automation for Cloud Pak)
Vulnerabilities in the protobuf-java may affect IBM Robotic Process Automation and could result in a denial of service (CVE-2022-3171, CVE-2022-3509)

Source: CCN
Type: IBM Security Bulletin 6854713 (Voice Gateway)
Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway

Source: CCN
Type: IBM Security Bulletin 6855119 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in WebSphere Application Server Liberty

Source: CCN
Type: IBM Security Bulletin 6890687 (Workload Scheduler)
IBM Workload Scheduler potentially affected by parsing issue with binary data in protobuf-java core (CVE-2022-3171)

Source: CCN
Type: IBM Security Bulletin 6909431 (Cloud Pak for Multicloud Management Monitoring)
IBM Cloud Pak for Multicloud Management is vulnerable to denial of service due to protobuf-java core and lite

Source: CCN
Type: IBM Security Bulletin 6921285 (i)
IBM WebSphere Application Server Liberty for IBM i is vulnerable to HTTP header injection and affected by denial of services due to multiple vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6955025 (PowerVM NovaLink)
IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to protobuf-java core and lite are vulnerable to a denial of service. (CVE-2022-3509)

Source: CCN
Type: IBM Security Bulletin 6957754 (CICS TX Advanced)
CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Advanced

Source: CCN
Type: IBM Security Bulletin 6957758 (CICS TX Standard)
CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Standard

Source: CCN
Type: IBM Security Bulletin 6957764 (TXSeries for Multiplatforms)
CVE-2022-3509 and CVE-2022-3171 may affect IBM TXSeries for Multiplatforms

Source: CCN
Type: IBM Security Bulletin 6960535 (MQ)
IBM MQ is affected by issues in IBM WebSphere Application Server Liberty (CVE-2022-3509, CVE-2022-3171)

Source: CCN
Type: IBM Security Bulletin 6963077 (Security Guardium)
IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-3171, CVE-2022-3510, CVE-2022-3509)

Source: CCN
Type: IBM Security Bulletin 6963095 (Watson Knowledge Catalog on-prem)
Vulnerability in WebSphere Liberty affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-3509, CVE-2022-3171)

Source: CCN
Type: IBM Security Bulletin 6963956 (Global High Availability Mailbox)
IBM Sterling Global Mailbox is vulnerable to denial of service due to WebSphere Liberty Server ( CVE-2022-3509, CVE-2022-3171)

Source: CCN
Type: IBM Security Bulletin 6966436 (Tivoli Netcool/Impact)
A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact(CVE-2022-3509, CVE-2022-3171)

Source: CCN
Type: IBM Security Bulletin 6967509 (Log Analysis)
Multiple Vulnerabilities in Google Protocol Buffer affect IBM Operations Analytics - Log Analysis (CVE-2022-3171, CVE-2022-3509, CVE-2022-3510)

Source: CCN
Type: IBM Security Bulletin 6986505 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6987069 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use DFDL may be vulnerable to denial of service due to [CVE-2022-3171]

Source: CCN
Type: IBM Security Bulletin 6989133 (Maximo Application Suite)
WebSphere Application Server Liberty is vulnerable to CVE-2022-3509 and CVE-2022-3171 used in IBM Maximo Application Suite - Monitor Component

Source: CCN
Type: IBM Security Bulletin 6997631 (App Connect Enterprise)
IBM App Connect Enterprise is vulnerable to a denial of service due to cURL libcurl and Google protobuf-java. (CVE-2022-42915, CVE-2021-22569, CVE-2022-3509, CVE-2022-3171, CVE-2022-3510)

Source: CCN
Type: IBM Security Bulletin 6999633 (Business Automation Manager Open Editions)
Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.3

Source: CCN
Type: IBM Security Bulletin 6999781 (Edge Application Manager)
IBM Edge Application Manager 4.5.1 addresses multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7011449 (Maximo Application Suite)
There are several vulnerabilities in Liberty used by the IBM Maximo Manage application in the IBM Maximo Application Suite

Source: CCN
Type: Mend Vulnerability Database
CVE-2022-3171

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/o:ibm:i:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:txseries:8.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:txseries:8.2:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.1:*:*:*:enterprise:*:*:*
  • OR cpe:/o:ibm:i:7.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:txseries:9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:workload_scheduler:9.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics_workspace:2.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:21.0.0.2:*:*:*:liberty:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:23.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8035
    P
    		libprotoc20-3.9.2-150200.4.19.2 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7652
    P
    		libprotobuf-lite20-3.9.2-150200.4.19.2 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:8172
    P
    		Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)
    2023-05-18
    oval:org.opensuse.security:def:8185
    P
    		Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)
    2023-05-18
    oval:org.opensuse.security:def:8197
    P
    		Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)
    2023-05-18
    oval:org.opensuse.security:def:8111
    P
    		Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)
    2023-05-18
    oval:org.opensuse.security:def:51947
    P
    		Security update for protobuf (Important)
    2022-11-09
    BACK
    ibm i 7.2
    ibm tivoli netcool/impact 7.1.0
    ibm txseries 8.1
    ibm txseries 8.2
    ibm i 7.3
    ibm app connect 11.0.0.1
    ibm i 7.4
    ibm cognos analytics 11.1
    ibm voice gateway 1.0.2
    ibm voice gateway 1.0.3
    ibm cloud transformation advisor 2.0.1
    ibm txseries 9.1
    ibm voice gateway 1.0.2.4
    ibm voice gateway 1.0.4
    ibm voice gateway 1.0.5
    ibm voice gateway 1.0.7
    ibm workload scheduler 9.5
    ibm security guardium 11.3
    ibm app connect enterprise 12.0.1.0
    ibm security guardium 11.4
    ibm cognos analytics 11.2
    ibm planning analytics workspace 2.0
    ibm i 7.5
    ibm app connect enterprise certified container 4.1
    ibm cics tx 11.1
    ibm cics tx 11.1
    ibm app connect enterprise certified container 4.2
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm app connect enterprise certified container 6.0
    ibm websphere application server 21.0.0.2
    ibm app connect enterprise certified container 6.1
    ibm robotic process automation for cloud pak 21.0.7
    ibm robotic process automation 21.0.7
    ibm robotic process automation 23.0.0
    ibm app connect enterprise certified container 6.2