CVE Vulnerabilities

CVE-2022-31030

Uncontrolled Resource Consumption

Published: Jun 09, 2022 | Modified: Nov 21, 2024
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
2.1 LOW
AV:L/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

containerd is an open source container runtime. A bug was found in the containerds CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the ExecSync API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerds CRI implementation; ExecSync may be used when running probes or when executing processes via an exec facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

Name Vendor Start Version End Version
Containerd Linuxfoundation * 1.5.13 (excluding)
Containerd Linuxfoundation 1.6.0 (including) 1.6.6 (excluding)
Containerd Ubuntu bionic *
Containerd Ubuntu devel *
Containerd Ubuntu esm-apps/bionic *
Containerd Ubuntu esm-apps/xenial *
Containerd Ubuntu esm-infra/focal *
Containerd Ubuntu focal *
Containerd Ubuntu impish *
Containerd Ubuntu jammy *
Containerd Ubuntu kinetic *
Containerd Ubuntu upstream *

Potential Mitigations

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

References