[
https://issues.apache.org/jira/browse/NIFI-10983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17680049#comment-17680049
]
David Handermann commented on NIFI-10983:
-----------------------------------------
This is a transitive dependency through {{google-cloud-kms}} and
{{{}nifi-property-protection-gcp{}}}. Upgrading the Google Libraries should
bring in a newer version of Protobuf.
> Update google protobuf-java core to 3.20.3
> ------------------------------------------
>
> Key: NIFI-10983
> URL: https://issues.apache.org/jira/browse/NIFI-10983
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.19.1
> Reporter: Phil Lee
> Assignee: David Handermann
> Priority: Major
>
> Update com.google.protobuf_protobuf-java from 3.20.1 to 3.20.3. This will
> remediate [CVE-2022-3509|https://nvd.nist.gov/vuln/detail/CVE-2022-3509]
> Twistlock scan reported this as high severity vulnerability in NiFi Toolkit
> (which is included in NiFi version 1.19.1).
> Impacted versions: >=3.20.0 and <3.20.3
> Discovered: 2 days ago
> Published: 2 days ago
> A parsing issue similar to CVE-2022-3171, but with textformat in
> protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and
> 3.16.3 can lead to a denial of service attack. Inputs containing multiple
> instances of non-repeated embedded messages with repeated or unknown fields
> causes objects to be converted back-n-forth between mutable and immutable
> forms, resulting in potentially long garbage collection pauses. We recommend
> updating to the versions mentioned above.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
