CVE-2022-3171

一、漏洞信息
漏洞编号：CVE-2022-3171
漏洞归属组件：mindspore
漏洞归属的版本：3.13.0,3.14.0,3.15.6,3.19.6,>= 3.13.0,>= 3.13.0
CVSS V3.0分值：
BaseScore：7.5 High
Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
漏洞简述：
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
漏洞公开时间：2022-10-13 07:15:09
漏洞创建时间：2024-03-22 22:46:04
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2022-3171

更多参考(点击展开)

参考来源	参考链接	来源链接
cve-coordination.google.com	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
cve-coordination.google.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
cve-coordination.google.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/
cve-coordination.google.com	https://security.gentoo.org/glsa/202301-09
suse_bugzilla	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3171	https://bugzilla.suse.com/show_bug.cgi?id=1204256
suse_bugzilla	http://www.cvedetails.com/cve/CVE-2022-3171/	https://bugzilla.suse.com/show_bug.cgi?id=1204256
suse_bugzilla	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2	https://bugzilla.suse.com/show_bug.cgi?id=1204256
suse_bugzilla	https://www.cve.org/CVERecord?id=CVE-2022-3171	https://bugzilla.suse.com/show_bug.cgi?id=1204256
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2022:7896	https://bugzilla.redhat.com/show_bug.cgi?id=2137645
redhat_bugzilla	https://access.redhat.com/security/cve/cve-2022-3171	https://bugzilla.redhat.com/show_bug.cgi?id=2137645
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2022:9023	https://bugzilla.redhat.com/show_bug.cgi?id=2137645
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2023:1006	https://bugzilla.redhat.com/show_bug.cgi?id=2137645
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2023:4983	https://bugzilla.redhat.com/show_bug.cgi?id=2137645
ubuntu	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171	https://ubuntu.com/security/CVE-2022-3171
ubuntu	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2	https://ubuntu.com/security/CVE-2022-3171
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2022-3171	https://ubuntu.com/security/CVE-2022-3171
ubuntu	https://launchpad.net/bugs/cve/CVE-2022-3171	https://ubuntu.com/security/CVE-2022-3171
ubuntu	https://security-tracker.debian.org/tracker/CVE-2022-3171	https://ubuntu.com/security/CVE-2022-3171
debian		https://security-tracker.debian.org/tracker/CVE-2022-3171
oracle		https://www.oracle.com/security-alerts/cpujan2023.html
ruby		https://github.com/rubysec/ruby-advisory-db/gems/google-protobuf/CVE-2022-3171.yml
gentoo		https://security.gentoo.org/glsa/202301-09
cve_search		https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
cve_search		https://security.gentoo.org/glsa/202301-09
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/
github_advisory	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2	https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
github_advisory	https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3	https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
github_advisory	https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3	https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
github_advisory	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml	https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
github_advisory	https://security.gentoo.org/glsa/202301-09	https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
github_advisory	https://github.com/protocolbuffers/protobuf/releases/tag/v21.7	https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
github_advisory	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/	https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
github_advisory	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771	https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
github_advisory	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/	https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
github_advisory	https://nvd.nist.gov/vuln/detail/CVE-2022-3171	https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
github_advisory	https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6	https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
mageia		http://advisories.mageia.org/MGASA-2023-0092.html
protobuf		https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
osv	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2	https://osv.dev/vulnerability/CVE-2022-3171
osv	https://security.gentoo.org/glsa/202301-09	https://osv.dev/vulnerability/CVE-2022-3171
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/	https://osv.dev/vulnerability/CVE-2022-3171
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/	https://osv.dev/vulnerability/CVE-2022-3171
amazon_linux_explore	https://access.redhat.com/security/cve/CVE-2022-3171	https://explore.alas.aws.amazon.com/CVE-2022-3171.html
amazon_linux_explore	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171	https://explore.alas.aws.amazon.com/CVE-2022-3171.html
osv	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2	https://osv.dev/vulnerability/GHSA-h4h5-3hr4-j3g2
osv	https://nvd.nist.gov/vuln/detail/CVE-2022-3171	https://osv.dev/vulnerability/GHSA-h4h5-3hr4-j3g2
osv	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771	https://osv.dev/vulnerability/GHSA-h4h5-3hr4-j3g2
osv	https://github.com/protocolbuffers/protobuf	https://osv.dev/vulnerability/GHSA-h4h5-3hr4-j3g2
osv	https://github.com/protocolbuffers/protobuf/releases/tag/v21.7	https://osv.dev/vulnerability/GHSA-h4h5-3hr4-j3g2
osv	https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3	https://osv.dev/vulnerability/GHSA-h4h5-3hr4-j3g2
osv	https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6	https://osv.dev/vulnerability/GHSA-h4h5-3hr4-j3g2
osv	https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3	https://osv.dev/vulnerability/GHSA-h4h5-3hr4-j3g2
osv	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml	https://osv.dev/vulnerability/GHSA-h4h5-3hr4-j3g2
osv	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/	https://osv.dev/vulnerability/GHSA-h4h5-3hr4-j3g2
osv	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/	https://osv.dev/vulnerability/GHSA-h4h5-3hr4-j3g2
osv	https://security.gentoo.org/glsa/202301-09	https://osv.dev/vulnerability/GHSA-h4h5-3hr4-j3g2
nvd	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
nvd	https://security.gentoo.org/glsa/202301-09
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/
redhat	https://access.redhat.com/security/cve/CVE-2022-3171
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
nvd	https://security.gentoo.org/glsa/202301-09
suse_bugzilla	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3171
suse_bugzilla	http://www.cvedetails.com/cve/CVE-2022-3171/
suse_bugzilla	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
suse_bugzilla	https://www.cve.org/CVERecord?id=CVE-2022-3171
redhat_bugzilla	https://bugzilla.redhat.com/show_bug.cgi?id=2137645
debian	https://security-tracker.debian.org/tracker/CVE-2022-3171
nvd	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2

漏洞分析指导链接：
https://gitee.com/mindspore/community/blob/master/security/cve_issue_template.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

详情(点击展开)

影响的包	修复补丁	来源
	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/	nvd
	https://security.gentoo.org/glsa/202301-09	nvd
protobuf	https://github.com/protocolbuffers/protobuf/commit/9a6781e476eac2c1b06764941addb60928520c71	ubuntu

二、漏洞分析结构反馈
影响性分析说明：
该漏洞早已合入，并且同步商用仓，不影响
MindSpore评分：
7.5
Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响)：
1.master:不受影响
2.v1.10:不受影响
3.v1.9.0:不受影响
4.v2.0.0:不受影响
5.v2.1.0:不受影响
6.v2.2.0:不受影响
7.v2.2.10:不受影响

@bryanbj ,@liuchao ,@huangbingjian ,@dairenjie ,@liyuxia ,@zyli2020 ,@emmmmtang ,@Henry Shi ,@fangzhou0329 ,@shenwei41 ,@jxl ,@chenhaozhe ,@zhanghaibo ,@yanghaoran ,@looop5 ,@kyang ,@chengang ,@mindspore_ding ,@ougongchang ,@zhunaipan ,@herryshi1 ,@Zenzenzense ,@zhaoting ,@徐永飞 ,@yxx ,@ZPaC ,@Greatpan ,@yefeng ,@fangzehua
issue处理注意事项:
1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;
2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;
3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, MindSpore评分, 受影响版本排查(受影响/不受影响))不能省略,省略后cve-manager将无法正常解析填写内容.

影响性分析说明:

MindSpore评分: (评分和向量)

受影响版本排查(受影响/不受影响):
1.master:
2.v1.10:
3.v1.9.0:
4.v2.0.0:
5.v2.1.0:
6.v2.2.0:
7.v2.2.10:

issue处理具体操作请参考:
https://gitee.com/mindspore/community/blob/master/security/cve_issue_template.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

Please assign maintainer to check this issue.
请为此issue分配处理人。
@mindspore-ci-bot

感谢您的提问，您可以评论//mindspore-assistant更快获取帮助：

如果您刚刚接触MindSpore，或许您可以在教程找到答案
如果您是资深Pytorch用户，您或许需要：

如果您遇到动态图问题，可以设置set_context(pynative_synchronize=True)查看报错栈协助定位
模型精度调优问题可参考官网调优指南
如果您反馈的是框架BUG，请确认您在ISSUE中提供了MindSpore版本、使用的后端类型（CPU、GPU、Ascend）、环境、训练的代码官方链接以及可以复现报错的代码的启动方式等必要的定位信息
如果您已经定位出问题根因，欢迎提交PR参与MindSpore开源社区，我们会尽快review

影响性分析说明：
该漏洞早已合入，并且同步商用仓，不影响
MindSpore评分：

受影响版本排查(受影响/不受影响)：
1.master:不受影响
2.v1.10:不受影响
3.v1.9.0:不受影响
4.v2.0.0:不受影响
5.v2.1.0:不受影响
6.v2.2.0:不受影响
7.v2.2.10:不受影响

@fangzhou0329 经过 cve-manager 解析, 已分析的内容如下表所示:

状态	需分析	内容
已分析	1.影响性分析说明	该漏洞早已合入，并且同步商用仓，不影响
已分析	2.MindSporeScore	7.5
已分析	3.MindSporeVector	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
已分析	4.受影响版本排查	master:不受影响,v1.10:不受影响,v1.9.0:不受影响,v2.0.0:不受影响,v2.1.0:不受影响,v2.2.0:不受影响,v2.2.10:不受影响

请确认分析内容的准确性, 确认无误后, 您可以进行后续步骤, 否则您可以继续分析.

影响性分析说明：
该漏洞早已合入，并且同步商用仓，不影响
MindSpore评分：
7.5
Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响)：
1.master:不受影响
2.v1.10:不受影响
3.v1.9.0:不受影响
4.v2.0.0:不受影响
5.v2.1.0:不受影响
6.v2.2.0:不受影响
7.v2.2.10:不受影响

@si_chasing 经过 cve-manager 解析, 已分析的内容如下表所示:

状态	需分析	内容
已分析	1.影响性分析说明	该漏洞早已合入，并且同步商用仓，不影响
已分析	2.MindSporeScore	7.5
已分析	3.MindSporeVector	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
已分析	4.受影响版本排查	master:不受影响,v1.10:不受影响,v1.9.0:不受影响,v2.0.0:不受影响,v2.1.0:不受影响,v2.2.0:不受影响,v2.2.10:不受影响

请确认分析内容的准确性, 确认无误后, 您可以进行后续步骤, 否则您可以继续分析.

GVP MindSpore / mindspore

内容风险标识

评论 (7)

GVPMindSpore / mindspore

内容风险标识

CVE-2022-3171

评论 (7)

搜索帮助

GVP MindSpore / mindspore