…VE-2022-3171

Generated code from this range is covered by CVE-2022-3171 and potentially vulnerable to a Denial of Service issue.

JavaProto 4.x previously dropped compatibility with the potentially vulnerable generated code, having the behavior of:

* The vulnerable generated code was source-incompatible with new runtime (would not compile when built from source)

* The vulnerable generated code was ABI-incompatible with new runtime (when using a .class file compiled against old runtime, a NoSuchMethodException would be thrown at parse time).

After this change, instead:

* The vulnerable generated code is now source-compatible (will compile).
The first time each potentially vulnerable type is parsed,  an error message will be logged noting that potentially vulnerable generated code is in use and the name of the corresponding type.

* Environment variables may be set to either throw an exception instead (-Dcom.google.protobuf.error_on_unsafe_pre22_gencode) or to entirely silence the logged messages (-Dcom.google.protobuf.use_unsafe_pre22_gencode)
This change was made based on community feedback regarding the difficulty in identifying and quickly remediating stale gencode in their transitive dependencies weighed against a careful evaluation of the realistic risk exposure of DoS (with no risk of other concerns including information leak or RCE).

We strongly recommend that any users who observe the log messages to regenerate the corresponding code with a newer protoc. We recommend that any security-conscious services opt into error_on_unsafe_pre22_gencode to preclude any risk of a Denial of Service surface area being exposed.

A future release may flip the default behavior to error by default as a measure to further help the ecosystem avoid the Denial of Service risks.

PiperOrigin-RevId: 790798112