medium
5.5
CWE
400
Advisory Published
Advisory Published
Updated

CVE-2022-31030: containerd CRI plugin: Host memory exhaustion through ExecSync

First published: Mon Jun 06 2022(Updated: )

### Impact A bug was found in containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. ### Patches This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images and commands are used. ### References * Similar fix in cri-o's CRI implementation https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j ### Credits The containerd project would like to thank David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md) during a security audit sponsored by CNCF and facilitated by OSTIF. ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io)

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
debian/containerd
1.4.13~ds1-1~deb11u4
1.4.13~ds1-1~deb11u2
1.6.20~ds1-1
1.6.20~ds1-2
Linuxfoundation Containerd<1.5.13
Linuxfoundation Containerd>=1.6.0<1.6.6
Debian Debian Linux=11.0
Fedoraproject Fedora=35
Fedoraproject Fedora=36
go/github.com/containerd/containerd>=1.6.0<1.6.6
1.6.6
go/github.com/containerd/containerd<1.5.13
1.5.13
<1.5.13
>=1.6.0<1.6.6
=11.0
=35
=36

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2022-31030?

    CVE-2022-31030 is a vulnerability found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API, leading to the consumption of all available memory.

  • How does CVE-2022-31030 affect containerd?

    CVE-2022-31030 affects containerd by allowing programs inside a container to exploit a bug in the CRI implementation and cause the containerd daemon to consume memory without bound.

  • What is the severity of CVE-2022-31030?

    CVE-2022-31030 has a severity rating of 5.5 (medium).

  • Which versions of containerd are affected by CVE-2022-31030?

    Versions 1.4.13~ds1-1~deb11u4, 1.4.13~ds1-1~deb11u2, 1.6.20~ds1-1, and 1.6.20~ds1-2 of containerd are affected by CVE-2022-31030.

  • How can I fix CVE-2022-31030?

    To fix CVE-2022-31030, you should update containerd to a version that includes the necessary security patches, such as 1.4.13~ds1-1~deb11u4, 1.4.13~ds1-1~deb11u2, 1.6.20~ds1-1, or 1.6.20~ds1-2.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203