Login Sign Up

CVE-2021-22569

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in protobuf-java allows attackers to craft malicious Protocol Buffer messages that cause excessive CPU consumption through parser inefficiencies. It affects any Java application using vulnerable protobuf-java versions for data serialization/deserialization. The attack creates a denial-of-service condition by forcing the parser to process fields out of order.

💻 Affected Systems

Products:
  • Google Protocol Buffers Java implementation (protobuf-java)
  • Any Java application using protobuf-java for serialization
Versions: protobuf-java versions 3.16.0 through 3.16.1
Operating Systems: All operating systems running Java applications
Default Config Vulnerable: ⚠️ Yes
Notes: Applications must be processing untrusted Protocol Buffer data to be vulnerable. The vulnerability is in the parsing logic itself, not dependent on specific configurations.

📦 What is this software?

Communications Cloud Native Core Console by Oracle

View all CVEs affecting Communications Cloud Native Core Console →

Communications Cloud Native Core Network Repository Function by Oracle

View all CVEs affecting Communications Cloud Native Core Network Repository Function →

Communications Cloud Native Core Network Repository Function by Oracle

View all CVEs affecting Communications Cloud Native Core Network Repository Function →

Communications Cloud Native Core Policy by Oracle

View all CVEs affecting Communications Cloud Native Core Policy →

Google Protobuf by Google

View all CVEs affecting Google Protobuf →

Protobuf Java by Google

View all CVEs affecting Protobuf Java →

Protobuf Java by Google

View all CVEs affecting Protobuf Java →

Protobuf Java by Google

View all CVEs affecting Protobuf Java →

Protobuf Kotlin by Google

View all CVEs affecting Protobuf Kotlin →

Protobuf Kotlin by Google

View all CVEs affecting Protobuf Kotlin →

Spatial And Graph Mapviewer by Oracle

View all CVEs affecting Spatial And Graph Mapviewer →

Spatial And Graph Mapviewer by Oracle

View all CVEs affecting Spatial And Graph Mapviewer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting multiple services in microservices architectures that share protobuf parsing libraries.

🟠

Likely Case

Degraded application performance and intermittent service disruptions as the parser consumes excessive resources processing malicious payloads.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and updated libraries, though some performance degradation may still occur during attack attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept exists in the OSS-Fuzz issue tracker. Exploitation requires sending malicious Protocol Buffer data to vulnerable endpoints, which is straightforward for attackers who can send arbitrary data.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: protobuf-java 3.16.2 and later

Vendor Advisory: https://cloud.google.com/support/bulletins#gcp-2022-001

Restart Required: Yes

Instructions:

1. Identify all Java applications using protobuf-java. 2. Update Maven/Gradle dependencies to protobuf-java 3.16.2+. 3. Rebuild and redeploy affected applications. 4. Restart services to load the updated library.

🔧 Temporary Workarounds

Input validation and size limits

all

Implement strict input validation and size limits on Protocol Buffer messages to prevent malicious payloads from reaching the vulnerable parser.

Rate limiting

all

Implement rate limiting on endpoints accepting Protocol Buffer data to limit the impact of repeated attack attempts.

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to detect and block malformed Protocol Buffer payloads
  • Isolate vulnerable services behind reverse proxies with request filtering and monitoring

🔍 How to Verify

Check if Vulnerable:

Check your project's dependency management file (pom.xml, build.gradle) for protobuf-java version 3.16.0 or 3.16.1. Also check running applications with 'java -cp [your-app.jar] com.google.protobuf.util.JsonFormat' to see loaded protobuf version.

Check Version:

For Maven: mvn dependency:tree | grep protobuf-java. For Gradle: gradle dependencies | grep protobuf-java. For running JVM: jcmd <PID> VM.system_properties | grep protobuf

Verify Fix Applied:

Verify that protobuf-java version is 3.16.2 or higher in your dependencies and that the updated library is loaded in your running application.

📡 Detection & Monitoring

Log Indicators:

  • Unusually high CPU usage by Java processes
  • Increased garbage collection activity
  • Slow response times from services processing Protocol Buffer data
  • OutOfMemoryError or excessive object creation logs

Network Indicators:

  • High volume of small Protocol Buffer messages to vulnerable endpoints
  • Unusual patterns in serialized data traffic

SIEM Query:

source="application_logs" AND ("CPU usage" > 90% OR "GC overhead" > 20%) AND process="java" AND message="*protobuf*"

📊 Metadata

CVE ID: CVE-2021-22569
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-696
Published: January 10, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22569, you might also want to check these:

CVE-2021-31379 7.5

This CVE-2021-31379 is an incorrect behavior order vulnerability in Juniper Junos OS MAP-E automatic...

Same vulnerability type (CWE-696)
CVE-2025-31485 7.5

This vulnerability in API Platform Core allows GraphQL property grants to be cached with incorrect o...

Same vulnerability type (CWE-696)
CVE-2023-33224 7.2

This vulnerability allows administrators of SolarWinds Platform to execute arbitrary commands with N...

Same vulnerability type (CWE-696)