Bug #106693 MySQL Connector/J uses outdated version of protobuf
Submitted: 10 Mar 2022 13:00 Modified: 17 Nov 2022 0:14
Reporter: Евгений Орешин Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / J Severity:S3 (Non-critical)
Version:8.0 OS:Any
Assigned to: CPU Architecture:Any
Tags: Connector/J, protobuf

[10 Mar 2022 13:00] Евгений Орешин 
Description:
MySQL Connector/J uses protobuf-java version 3.11.4
https://github.com/mysql/mysql-connector-j/blob/e920b979015ae7117d60d72bcc8f077a839cd791/s...

This version has a vulnerability:
> An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

https://nvd.nist.gov/vuln/detail/CVE-2021-22569

How to repeat:
Nothing to repeat

Suggested fix:
Use actual version of protobuf-java
https://search.maven.org/artifact/com.google.protobuf/protobuf-java
[10 Mar 2022 13:27] MySQL Verification Team 
Hello Евгений Орешин,

Thank you for the report and feedback.

regards,
Umesh
[17 Nov 2022 0:14] Filipe Silva 
Handled internally through a worklog.