CVE-2022-23471: containerd CRI stream server: Host memory exhaustion through terminal resize goroutine leak
First published: Wed Dec 07 2022(Updated: )
### Impact A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. ### Patches This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new) * Email us at [security@containerd.io](mailto:security@containerd.io)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linuxfoundation Containerd | <1.5.16 | |
| Linuxfoundation Containerd | >=1.6.0<1.6.12 | |
| go/github.com/containerd/containerd | >=1.6.0<1.6.12 | 1.6.12 |
| go/github.com/containerd/containerd | <1.5.16 | 1.5.16 |
| <1.5.16 | ||
| >=1.6.0<1.6.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0
- https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9
- https://security.gentoo.org/glsa/202401-31
- https://github.com/containerd/containerd/commit/241563be06a3de8b6a849414c4e805b68d3bb295
- https://github.com/containerd/containerd/releases/tag/v1.5.16
- https://github.com/containerd/containerd/releases/tag/v1.6.12
- https://nvd.nist.gov/vuln/detail/CVE-2022-23471
- https://github.com/advisories/GHSA-2qjp-425j-52j9 (Advisory)
Frequently Asked Questions
What is CVE-2022-23471?
CVE-2022-23471 is a vulnerability in containerd, an open source container runtime, that allows a user to exhaust memory on the host.
How does CVE-2022-23471 affect Linuxfoundation Containerd?
Linuxfoundation Containerd versions 1.5.16 and between 1.6.0 to 1.6.12 are affected by CVE-2022-23471.
What is the severity of CVE-2022-23471?
CVE-2022-23471 has a severity rating of 6.5 (medium).
How can I fix CVE-2022-23471?
To fix CVE-2022-23471, upgrade containerd to a version that is not affected by the vulnerability.
Is there any additional information about CVE-2022-23471?
More information about CVE-2022-23471 can be found in the GitHub references provided.
- collector/nvd-index
- agent/weakness
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/title
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-2qjp-425j-52j9
- alias/CVE-2022-23471
- agent/last-modified-date
- agent/references
- agent/description
- agent/softwarecombine
- agent/tags
- agent/event
- collector/nvd-cve
- collector/github-advisory
- vendor/linuxfoundation
- canonical/linuxfoundation containerd
- version/linuxfoundation containerd/1.6.0
- package-manager/go