Uncontrolled Resource Consumption
CVE-2022-23471
Summary
containerd is an open source container runtime. A bug was found in containerd's versions prior to 1.5.16, 1.6.x prior to 1.6.12, and 1.7.0-beta.1 CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permission to execute commands in running containers.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- LOW
- NONE
- HIGH
CWE-400 - Uncontrolled resource consumption
An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.
References
Advisory Timeline
- Published
