You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Phil Lee (Jira)" <ji...@apache.org> on 2022/12/14 18:27:00 UTC

[jira] [Created] (NIFI-10983) Update google protobuf-java core to 3.20.3

Phil Lee created NIFI-10983:
-------------------------------

             Summary: Update google protobuf-java core to 3.20.3
                 Key: NIFI-10983
                 URL: https://issues.apache.org/jira/browse/NIFI-10983
             Project: Apache NiFi
          Issue Type: Improvement
    Affects Versions: 1.19.1
            Reporter: Phil Lee


Update com.google.protobuf_protobuf-java from 3.20.1 to 3.20.3.  This will remediate [CVE-2022-3509|https://nvd.nist.gov/vuln/detail/CVE-2022-3509]

Twistlock scan reported this as high severity vulnerability in NiFi Toolkit (which is included in NiFi version 1.19.1).

Impacted versions: >=3.20.0 and <3.20.3
Discovered: 2 days ago
Published: 2 days ago
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)