CVE-2022-31080: KubeEdge Websocket Client in package Viaduct: DoS from large response message
First published: Mon Jul 11 2022(Updated: )
### Impact A large response received by the viaduct WSClient can cause a DoS from memory exhaustion. The entire body of the response is being read into memory which could allow an attacker to send a request that returns a response with a large body. The consequence of the exhaustion is that the process which invokes a WSClient will be in a denial of service. It will be affected If users which are authenticated to the edge side and connect from the edge side to `cloudhub` through WebSocket protocol. ### Patches This bug has been fixed in Kubeedge 1.11.1, 1.10.2, 1.9.4. Users should update to these versions to resolve the issue. ### Workarounds At the time of writing, no workaround exists. ### References NA ### Credits Thanks David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the [kubeedge security policy](https://github.com/kubeedge/kubeedge/security/policy) during a security audit sponsored by CNCF and facilitated by OSTIF. ### For more information If you have any questions or comments about this advisory: * Open an issue in [KubeEdge repo](https://github.com/kubeedge/kubeedge/issues/new/choose) * To make a vulnerability report, email your vulnerability to the private [cncf-kubeedge-security@lists.cncf.io](mailto:cncf-kubeedge-security@lists.cncf.io) list with the security details and the details expected for [KubeEdge bug reports](https://github.com/kubeedge/kubeedge/blob/master/.github/ISSUE_TEMPLATE/bug-report.md).
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linuxfoundation Kubeedge | <1.9.4 | |
| Linuxfoundation Kubeedge | >=1.10.0<1.10.2 | |
| Linuxfoundation Kubeedge | >=1.11.0<1.11.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/github-advisory
- alias/GHSA-6wvc-6pww-qr4r
- alias/CVE-2022-31080
- collector/github-advisory-latest
- collector/nvd-index
- collector/nvd-cve
- agent/weakness
- agent/type
- agent/softwarecombine
- agent/references
- agent/severity
- agent/author
- agent/description
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/tags
- agent/trending
- package-manager/go
- vendor/linuxfoundation
- canonical/linuxfoundation kubeedge
- version/linuxfoundation kubeedge/1.10.0
- version/linuxfoundation kubeedge/1.11.0