A potential Denial of Service issue in protobuf-java

[anguillanneuf]

Outdated protobuf-java found in main/load-test-framework:

Please update to the latest available versions of the following packages:

• protobuf-java (3.16.1, 3.18.2, 3.19.2)

CVE-2021-22569 High - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.

[anguillanneuf]

@dpcollins-google or someone else can update this and other dependencies in this project.

[dpcollins-google]

It's a bit irrelevant? It's only in an example framework for running load tests not production workflows.

[anguillanneuf]

Should still update these deps (even if not urgent and used in production).