Site icon API Security Blog

Security Bulletin: IBM Event Streams is vulnerable to a denial of service attack due to the protobuf-java (CVE-2022-3509).

Summary IBM Event Streams is vulnerable to a denial of service attack due to the protobuf-java core and lite. They are most often used for defining communications protocols (together with gRPC) and for data storage. Vulnerability Details ** CVEID: CVE-2022-3509 DESCRIPTION: **protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for textformat data. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause long garbage collection pauses. CVSS Base score: 5.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239915 for the current score. CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions Affected Product(s)| Version(s) —|— IBM Event Streams| 11.1.6-11.3.2 Remediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading Upgrade to IBM Event Streams 11.4.0 by following the upgrading and migrating documentation. Workarounds and Mitigations…Read More

Exit mobile version