Director 22.1.4 releases before Dec 2025 are vulnerable to CVE-2015-5237 owing to the presence of the below protobuf pkgs (3.0.0)

[Administrator@versa-director: tmp] $ dpkg -l | grep protob
ii  libprotobuf-c1:amd64                  1.2.1-2                                              amd64        Protocol Buffers C shared library (protobuf-c)
ii  libprotobuf10:amd64                   3.0.0-9.1ubuntu1.1+esm3                              amd64        protocol buffers C++ library
ii  python-protobuf                       3.0.0-9.1ubuntu1.1+esm3                              amd64        Python bindings for protocol buffers


Director hot-fix image (for 22.1.4) post Dec 2025 has incorporated a fix by removing the above pkgs (via PR 137791) - so the essential solution is to upgrade to a hot-fix image post Dec 2025

However, if osspack  is installed post the upgrade, it tends to "re-install" these pkgs - this will be fixed in the next/upcoming osspack release 

Hence if you are  running a 22.1.4 release lower than Dec 2025, then you would need to upgrade to a newer hot-fix image (any release post Dec 2025) to address this vulnerability 

Also, if you installed an osspack (from 16th april 2026 or below) "post" upgrade to the hot-fix image - it will end up "re-installing" these protobuf pkgs - as a workaround you can manually  "purge" the protobuf pkg as below (Note: that this workaround is only applicable to 22.1.4 Director image post Dec 2025 - this should not be attempted on Director release lower than Dec 2025)


i) dpkg -s vnms | grep 'python-protobuf' ---> this should not return anything like below:     ( any release > Dec 2025 would show an empty output as below, however if you see it returning any output, please do-not proceed to the next step)

[Administrator@versa-director: ~] $ dpkg -s vnms | grep 'python-protobuf'
[Administrator@versa-director: ~] $ 

Ii) Once you have confirmed step 1 (which essentially confirms that there is no dependency on this pkg), you can go ahead and purge the packages with below command:

[Administrator@versa-director: tmp] $ sudo dpkg --purge python-protobuf libprotobuf10
(Reading database ... 86687 files and directories currently installed.)
Removing python-protobuf (3.0.0-9.1ubuntu1.1+esm3) ...
Removing libprotobuf10:amd64 (3.0.0-9.1ubuntu1.1+esm3) ...
Processing triggers for libc-bin (2.27-3ubuntu1.6+esm6) ...
[Administrator@versa-director: tmp] $ 


The next osspack release  (to be released by end of April or mid of May 2026) would ensure that these protobuf pkgs are not re-installed during the osspack update