Protobuf Java DoS CVE-2022-3171

[Eric Anderson]

Protobuf versions prior to 3.21.7 suffer from CVE-2022-3171. Notably, the fix requires regenerating code, so make sure your protoc version is upgraded and you verify important dependencies have rebuilt their generated code. See their advisory for the fixed versions of protobuf.

gRPC 1.48.2 and 1.49.2 regenerate protobuf code that gRPC publishes, like those in grpc-services. You are encouraged to upgrade. Patch releases for 1.36 and 1.41-1.47 are upcoming.