CVE-2021-22569 Overview
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. This Denial of Service vulnerability affects applications using protobuf-java, protobuf-kotlin, and google-protobuf (Ruby) libraries, as well as downstream Oracle products that incorporate these components.
Critical Impact
Attackers can craft malicious protobuf payloads that cause resource exhaustion through algorithmic complexity, leading to extended parser occupation and application unavailability.
Affected Products
- Google protobuf-java (multiple versions)
- Google protobuf-kotlin (multiple versions)
- Google google-protobuf (Ruby gem)
- Oracle Communications Cloud Native Core Console 1.9.0
- Oracle Communications Cloud Native Core Network Repository Function 1.15.0 and 1.15.1
- Oracle Communications Cloud Native Core Policy 1.15.0
- Oracle Spatial and Graph MapViewer 19c and 21c
Discovery Timeline
- 2022-01-10 - CVE CVE-2021-22569 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-22569
Vulnerability Analysis
This vulnerability represents a Denial of Service (DoS) attack vector through algorithmic complexity exploitation. The protobuf-java parser contains a flaw in how it handles UnknownFieldSet fields when they are interleaved within a message. By carefully crafting a protobuf message with specific field ordering patterns, an attacker can trigger excessive object creation and garbage collection cycles within the Java Virtual Machine.
The attack is particularly concerning because it requires only a small malicious payload to achieve significant impact. The parser becomes occupied for extended periods—potentially several minutes—processing what should be a trivial message. This behavior stems from the creation of large numbers of short-lived objects that trigger frequent garbage collection pauses, effectively causing CPU exhaustion.
The vulnerability requires local access with user interaction, meaning an attacker would need to convince a user to process a malicious protobuf file or deliver the payload through an application that accepts protobuf input from users.
Root Cause
The root cause lies in improper handling of field ordering within the UnknownFieldSet class in protobuf-java. The parser does not adequately validate or limit the processing complexity when unknown fields are interleaved in a specific sequence. This maps to CWE-696 (Incorrect Behavior Order) where the processing order of interleaved fields creates an exploitable condition that results in resource exhaustion.
Attack Vector
The attack requires local access where the attacker crafts a malicious protobuf message with carefully interleaved UnknownFieldSet fields. When a vulnerable application parses this message, the parser enters a state where it repeatedly creates and discards short-lived objects. This triggers frequent garbage collection cycles in the JVM, causing the application to become unresponsive.
The attack flow involves:
- Attacker crafts a small protobuf payload with specifically ordered unknown fields
- The malicious payload is delivered to an application using vulnerable protobuf-java libraries
- When parsed, the interleaved field structure causes excessive object allocation
- JVM garbage collection is triggered repeatedly, consuming CPU resources
- The application becomes unresponsive for an extended period (potentially minutes)
Detection Methods for CVE-2021-22569
Indicators of Compromise
- Unusually high CPU utilization in Java applications processing protobuf messages
- Extended garbage collection pauses visible in JVM logs or monitoring
- Application unresponsiveness when processing specific protobuf payloads
- Heap memory pressure spikes during message parsing operations
Detection Strategies
- Monitor JVM garbage collection metrics for applications using protobuf-java libraries
- Implement application performance monitoring (APM) to detect parser hang conditions
- Review application logs for timeout exceptions during protobuf message processing
- Scan dependency manifests for vulnerable versions of protobuf-java, protobuf-kotlin, or google-protobuf
Monitoring Recommendations
- Enable JVM GC logging to capture garbage collection frequency and duration
- Configure alerting thresholds for CPU utilization anomalies in protobuf-processing services
- Implement request timeout mechanisms for endpoints that accept protobuf input
- Deploy software composition analysis (SCA) tools to identify vulnerable library versions
How to Mitigate CVE-2021-22569
Immediate Actions Required
- Upgrade protobuf-java and protobuf-kotlin libraries to patched versions
- Review application dependencies for transitive inclusions of vulnerable protobuf libraries
- Implement input validation and size limits for protobuf message processing
- Consider deploying request timeouts as a temporary mitigation measure
Patch Information
Google has released patches addressing this vulnerability. Organizations should upgrade their protobuf-java and related libraries beyond the vulnerable versions. For specific version information, refer to the Google Cloud Security Bulletin. Oracle customers should apply the fixes provided in the Oracle Critical Patch Update April 2022 for affected Oracle products.
Additional security advisories and technical details are available from OpenWall OSS Security and the Chromium OSS-Fuzz Issue #39330.
Workarounds
- Implement strict message size limits before parsing protobuf input
- Add timeout mechanisms around protobuf parsing operations to prevent extended hangs
- Deploy rate limiting on endpoints that accept protobuf messages from untrusted sources
- Consider isolating protobuf processing in separate worker threads with resource constraints
# Configuration example - Maven dependency update
# Update pom.xml to use patched protobuf-java version
mvn versions:use-latest-versions -Dincludes=com.google.protobuf:protobuf-java
# Verify updated dependencies
mvn dependency:tree | grep protobuf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
