containerd is an open source container runtime. A bug was found in the containerds CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the ExecSync API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerds CRI implementation; ExecSync may be used when running probes or when executing processes via an exec facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.
The product does not properly control the allocation and maintenance of a limited resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Containerd | Linuxfoundation | * | 1.5.13 (excluding) |
| Containerd | Linuxfoundation | 1.6.0 (including) | 1.6.6 (excluding) |
| Containerd | Ubuntu | bionic | * |
| Containerd | Ubuntu | devel | * |
| Containerd | Ubuntu | esm-apps/bionic | * |
| Containerd | Ubuntu | esm-apps/xenial | * |
| Containerd | Ubuntu | esm-infra/focal | * |
| Containerd | Ubuntu | focal | * |
| Containerd | Ubuntu | impish | * |
| Containerd | Ubuntu | jammy | * |
| Containerd | Ubuntu | kinetic | * |
| Containerd | Ubuntu | upstream | * |
Mitigation of resource exhaustion attacks requires that the target system either:
The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.