Restore compatibility of runtime with pre-3.22.x gencode impacted by CVE-2022-3171 #22862
+168
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4c2f4d0 to
f8b038f
Compare
f8b038f to
1a46aa9
Compare
…VE-2022-3171 Generated code from this range is covered by CVE-2022-3171 and potentially vulnerable to a Denial of Service issue. JavaProto 4.x previously dropped compatibility with the potentially vulnerable generated code, having the behavior of: * The vulnerable generated code was source-incompatible with new runtime (would not compile when built from source) * The vulnerable generated code was ABI-incompatible with new runtime (when using a .class file compiled against old runtime, a NoSuchMethodException would be thrown at parse time). After this change, instead: * The vulnerable generated code is now source-compatible (will compile). The first time each potentially vulnerable type is parsed, an error message will be logged noting that potentially vulnerable generated code is in use and the name of the corresponding type. * Environment variables may be set to either throw an exception instead (-Dcom.google.protobuf.error_on_unsafe_pre22_gencode) or to entirely silence the logged messages (-Dcom.google.protobuf.use_unsafe_pre22_gencode) This change was made based on community feedback regarding the difficulty in identifying and quickly remediating stale gencode in their transitive dependencies weighed against a careful evaluation of the realistic risk exposure of DoS (with no risk of other concerns including information leak or RCE). We strongly recommend that any users who observe the log messages to regenerate the corresponding code with a newer protoc. We recommend that any security-conscious services opt into error_on_unsafe_pre22_gencode to preclude any risk of a Denial of Service surface area being exposed. A future release may flip the default behavior to error by default as a measure to further help the ecosystem avoid the Denial of Service risks. PiperOrigin-RevId: 790798112
1a46aa9 to
7c51e5b
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Restore compatibility of runtime with pre-3.22.x gencode impacted by CVE-2022-3171
Generated code from this range is covered by CVE-2022-3171 and potentially vulnerable to a Denial of Service issue.
JavaProto 4.x previously dropped compatibility with the potentially vulnerable generated code, having the behavior of:
The vulnerable generated code was source-incompatible with new runtime (would not compile when built from source)
The vulnerable generated code was ABI-incompatible with new runtime (when using a .class file compiled against old runtime, a NoSuchMethodException would be thrown at parse time).
After this change, instead:
The vulnerable generated code is now source-compatible (will compile).
The first time each potentially vulnerable type is parsed, an error message will be logged noting that potentially vulnerable generated code is in use and the name of the corresponding type.
Environment variables may be set to either throw an exception instead (-Dcom.google.protobuf.error_on_unsafe_pre22_gencode) or to entirely silence the logged messages (-Dcom.google.protobuf.use_unsafe_pre22_gencode)
This change was made based on community feedback regarding the difficulty in identifying and quickly remediating stale gencode in their transitive dependencies weighed against a careful evaluation of the realistic risk exposure of DoS (with no risk of other concerns including information leak or RCE).
We strongly recommend that any users who observe the log messages to regenerate the corresponding code with a newer protoc. We recommend that any security-conscious services opt into error_on_unsafe_pre22_gencode to preclude any risk of a Denial of Service surface area being exposed.
A future release may flip the default behavior to error by default as a measure to further help the ecosystem avoid the Denial of Service risks.