Security update due to CVE-2024-7254: potential Denial of Service in protobuf-java

[arusevm]

Security Announcement

A High Severity vulnerability was recently found in the protobuf-java library, which in turn is affecting a number of java artifacts published by mishmash.io.

We've just released updated versions of our packages - replacing the vulnerable dependency with its fixed version. These releases are now available for download on all relevant repositories (GitHub, Maven Central, DockerHub).

About CVE-2024-7254:

Summary

When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [email protected]

Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.