You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Phil Lee (Jira)" <ji...@apache.org> on 2022/12/14 18:27:00 UTC
[jira] [Created] (NIFI-10983) Update google protobuf-java core to 3.20.3
Phil Lee created NIFI-10983:
-------------------------------
Summary: Update google protobuf-java core to 3.20.3
Key: NIFI-10983
URL: https://issues.apache.org/jira/browse/NIFI-10983
Project: Apache NiFi
Issue Type: Improvement
Affects Versions: 1.19.1
Reporter: Phil Lee
Update com.google.protobuf_protobuf-java from 3.20.1 to 3.20.3. This will remediate [CVE-2022-3509|https://nvd.nist.gov/vuln/detail/CVE-2022-3509]
Twistlock scan reported this as high severity vulnerability in NiFi Toolkit (which is included in NiFi version 1.19.1).
Impacted versions: >=3.20.0 and <3.20.3
Discovered: 2 days ago
Published: 2 days ago
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)