Skip to content

Questions about CVE-2022-3171, CVE-2022-3509 and CVE-2022-3510 #134664

New issue
New issue
Open
Open
Questions about CVE-2022-3171, CVE-2022-3509 and CVE-2022-3510#134664
Labels
module: onnxRelated to torch.onnxmodule: protobufmodule: third_partysecuritytriagedThis issue has been looked at a team member, and triaged and prioritized into an appropriate module
@Andrew-798

Description

@Andrew-798
Andrew-798
opened on Aug 28, 2024

🐛 Describe the bug

Description
Summary
The version of protobuf in .github/requirements/pip-requirements-macOS.txt is 3.20.2, this version of protobuf contains vulnerabilities
CVE-2022-3171, CVE-2022-3509 and CVE-2022-3510, which may pose security and performance risks to the PyTorch project.

Details
CVE-2022-3171
Severity: Medium
Url: https://www.cve.org/CVERecord?id=CVE-2022-3171
Description: A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Impact: If the PyTorch project uses the affected version of Protobuf and processes maliciously crafted messages during data serialization/deserialization, it could lead to prolonged pauses during garbage collection, affecting performance and potentially making the service unavailable.

CVE-2022-3509
Severity: High
Url: https://www.cve.org/CVERecord?id=CVE-2022-3509
Description: A parsing issue similar to GHSA-h4h5-3hr4-j3g2, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Impact: If PyTorch processes Protobuf data in text format containing maliciously crafted messages, it may cause abnormal garbage collection behavior, affecting system stability and performance, especially in scenarios where large volumes of Protobuf data are handled.

CVE-2022-3510
Severity: High
Url: https://www.cve.org/CVERecord?id=CVE-2022-3510
Description: A parsing issue similar to GHSA-h4h5-3hr4-j3g2, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Impact: If PyTorch uses the affected Protobuf version and processes maliciously crafted messages with extension fields, it could lead to garbage collection issues, affecting system stability.

Metadata

Metadata

Assignees

No one assigned

    Labels

    module: onnxRelated to torch.onnxmodule: protobufmodule: third_partysecuritytriagedThis issue has been looked at a team member, and triaged and prioritized into an appropriate module

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions