CVE-2022-31030

Published: Jun 9, 2022Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.

Affected (5)

Products: Linuxfoundation: Containerd · Debian: Debian Linux · Fedoraproject: Fedora

Linuxfoundation

1 product

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Linuxfoundation Containerd	Before 1.5.13
Linuxfoundation Containerd	From 1.6.0 to 1.6.6

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 11.0

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 35
Fedoraproject Fedora	Version 36

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (14)

http://www.openwall.com/lists/oss-security/2022/06/07/1

Source: security-advisories@github.com

Mailing ListThird Party Advisory

https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382

Source: security-advisories@github.com

ProductThird Party Advisory

https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf

Source: security-advisories@github.com

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/

Source: security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/

Source: security-advisories@github.com

https://security.gentoo.org/glsa/202401-31

Source: security-advisories@github.com

https://www.debian.org/security/2022/dsa-5162

Source: security-advisories@github.com

Third Party Advisory

http://www.openwall.com/lists/oss-security/2022/06/07/1

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382

Source: af854a3a-2127-422b-91ae-364da2661108

ProductThird Party Advisory

https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/202401-31

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.debian.org/security/2022/dsa-5162

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.