CVE-2021-22569

About vulnerability

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Affected product:

Apache Hadoop , Apache Hive , Apache Spark , Apache Tapestry , Eclipse Jetty , Protocol Buffers , agepredictor , amazon-kinesis-client , avro , bookkeeper-common-allocator , calcite , druid , elasticsearch , google-http-java-client , google-oauth-java-client , hbase , infinispan , less4j , lucene , netty , orc , orc-core , protostream , solr , thredds , tika

Affected packages:

jetty-plus @ 9.4.50.v20221201 (+2833 more)

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.