Security Advisory

Protobuf Library Security Update Advisory (CVE-2024-7254)

  • Oct 23 2024

Overview

 

An update has been released to address vulnerabilities in Protobuf Library. Users of the affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2024-7254

  • protobuf-java versions: ~ 3.25.5 (excluded)
  • protobuf-java versions: 4.0.0.0.rc.1 (inclusive) ~ 4.27.5 (excluded)
  • protobuf-java versions: 4.28.0.rc.1 (inclusive) ~ 4.28.2 (exclusive)

 

  • protobuf-javalite versions: ~ 3.25.5 (excluded)
  • protobuf-javalite versions: 4.0.0.rc.1 (inclusive) ~ 4.27.5 (excluded)
  • protobuf-javalite versions: 4.28.0.rc.1 (inclusive) ~ 4.28.2 (exclusive)

 

  • protobuf-kotlin versions: ~ 3.25.5 (excluded)
  • protobuf-kotlin versions: 4.0.0.rc.1 (inclusive) ~ 4.27.5 (excluded)
  • protobuf-kotlin versions: 4.28.0.rc.1 (inclusive) ~ 4.28.2 (exclusive)

 

  • protobuf-kotlin-lite versions: ~ 3.25.5 (excluded)
  • protobuf-kotlin-lite versions: 4.0.0.rc.1 (inclusive) ~ 4.27.5 (excluded)
  • protobuf-kotlin-lite versions: 4.28.0.rc.1 (inclusive) ~ 4.28.2 (exclusive)

 

  • JRuby gem com-protobuf versions: ~ 3.25.5 (excluded)
  • JRuby gem com-protobuf versions: 4.0.0.rc.1 (inclusive) ~ 4.27.5 (excluded)
  • JRuby gem com-protobuf versions: 4.28.0.rc.1 (included) t~4.28.2 (excluded)

 

 

Resolved Vulnerabilities

 

Nested group (SGROUP) tags when parsing Protobuf data could cause infinite recursion, which could be exploited in a StackOverflow attack (CVE-2024-7254)

 

Vulnerability Patches

 

Vulnerability patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2024-7254

  • protobuf-java version: 3.25.5
  • protobuf-java version: 4.27.5
  • protobuf-java version: 4.28.2

 

  • protobuf-javalite version: 3.25.5
  • protobuf-javalite version: 4.27.5
  • protobuf-javalite version: 4.28.2

 

  • protobuf-kotlin version: 3.25.5
  • protobuf-kotlin version: 4.27.5
  • protobuf-kotlin version: 4.28.2

 

  • protobuf-kotlin-lite version: 3.25.5
  • protobuf-kotlin-lite version: 4.27.5
  • protobuf-kotlin-lite version: 4.28.2

 

  • JRuby gem com-protobuf version: 3.25.5
  • JRuby gem com-protobuf version: 4.27.5
  • JRuby gem com-protobuf version: 4.28.2

 

 

Referenced Sites

 

[1] CVE-2024-7254 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-7254

[2] protobuf-java has potential Denial of Service issue

https://github.com/advisories/GHSA-735f-pc8j-v9w8

[3] protocolbuffers/protobuf/commit

https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa

Tags:

Previous Post

Next Post