[FP]: protobuf-java 4.x release candidates flagged with CVE-2022-3171

[cdcnw]

Package URl

pkg:maven/com.google.protobuf/[email protected]

CPE

cpe:2.3:a:com.google.protobuf:protobuf-java:4.0.0-rc-2:*:*:*:*:*:*:*

CVE

CVE-2022-3171

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

9.0.7

Description

OWASP Dependency Check is incorrectly flagging protobuf-java 4.0.0-rc-2 and 4.0.0-rc-1 with CVE-2022-3171. According to the CPEs currently published to the NVD, no 4.x releases of this JAR should be considered vulnerable. From the NVD:

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack.

The CPEs all have an upper limit in the 3.x range so this appears to be an issue with ODC and not the NVD's data.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>com.google.protobuf</groupId>
   <artifactId>protobuf-java</artifactId>
   <version>4.0.0-rc-2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6361
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf-java@.*$</packageUrl>
   <cpe>cpe:/a:com.google.protobuf:protobuf-java</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7414370161

[cdcnw]

I've found this same issue is happening with CVE-2022-3509 as well. Both 4.0.0-rc-1 and 4.0.0-rc-2 are being flagged with this CVE despite these versions being outside the range of its vulnerable CPEs.

[aikebah]

The 'OSSINDEX' suffix to the CVE in the report means that the researchers of OSSINDEX classified that library as vulnerable to the same issue. Whether or not that is valid is up to you to further validate and discuss with the people at OSSINDEX.
DependencyCheck validly reports that according to OSSINDEX vulnerability database the rc's are subject to the same CVE

[cdcnw]

@aikebah - Maybe I'm looking in the wrong place but the OSSINDEX page on GitHub and Sonatype only list 3.x versions as vulnerable. None of the resources I have found indicate that 4.x releases should be considered in the vulnerable range. Is there somewhere else I should be looking?

Edit: Nevermind, I see the version isn't listed in the vulnerability description on the index but the vulnerability is listed on the specific page for that version. I'll follow-up there.

[aikebah]

@cdcnw The report created shows CVE-2022-3171 (OSSINDEX) as the title of the reported vulnerability, indicating that the vulnerability was reported by OSSIndex's API when it was queried with the package coordinates

[aikebah]

The CPE links to https://ossindex.sonatype.org/component/pkg:maven/com.google.protobuf/[email protected]?utm_source=dependency-check&utm_medium=integration&utm_content=9.0.7
where OSSINDEX is indeed indicating the CVE applies to 4.0.0-rc-2 according to their dataset (visible after you login with a (free to sign-up) account)