Phil Lee created NIFI-10983:
-------------------------------
Summary: Update google protobuf-java core to 3.20.3
Key: NIFI-10983
URL: https://issues.apache.org/jira/browse/NIFI-10983
Project: Apache NiFi
Issue Type: Improvement
Affects Versions: 1.19.1
Reporter: Phil Lee
Update com.google.protobuf_protobuf-java from 3.20.1 to 3.20.3. This will
remediate [CVE-2022-3509|https://nvd.nist.gov/vuln/detail/CVE-2022-3509]
Twistlock scan reported this as high severity vulnerability in NiFi Toolkit
(which is included in NiFi version 1.19.1).
Impacted versions: >=3.20.0 and <3.20.3
Discovered: 2 days ago
Published: 2 days ago
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java
core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a
denial of service attack. Inputs containing multiple instances of non-repeated
embedded messages with repeated or unknown fields causes objects to be
converted back-n-forth between mutable and immutable forms, resulting in
potentially long garbage collection pauses. We recommend updating to the
versions mentioned above.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
