CVE-2022-23471
Memory Exhaustion vulnerability in containerd (Go)
What is CVE-2022-23471 About?
This vulnerability in containerd's CRI implementation allows a user to exhaust memory on the host due to a memory leak in the stream server. When a user process fails to launch with a requested TTY, a goroutine gets stuck, leading to resource exhaustion, making it a denial-of-service risk with moderate exploitation ease.
Affected Software
- github.com/containerd/containerd
- >1.6.0, <1.6.12
- <1.5.16
Technical Details
The containerd CRI stream server, when handling terminal resize events for TTY requests, launches a goroutine. If the user's process that was supposed to utilize this TTY fails to launch (e.g., due to a faulty command), this goroutine remains active but becomes stuck waiting to send without a corresponding receiver. This orphaned goroutine continuously consumes memory resources, leading to a memory leak. Over time, repeated triggering of this condition by users can exhaust the host system's memory, resulting in a denial-of-service condition affecting Kubernetes and crictl environments that use containerd's CRI.
What is the Impact of CVE-2022-23471?
Successful exploitation may allow attackers to cause a denial-of-service condition by exhausting host memory, leading to system instability or unresponsiveness.
What is the Exploitability of CVE-2022-23471?
Exploitation complexity is moderate. It requires the ability to launch containers or execute commands within containers through containerd's CRI, typically via Kubernetes or crictl. Authentication and appropriate privileges to interact with the container runtime are necessary; specifically, a user must have permissions to execute commands in running containers or launch new ones. This is a remote vulnerability, as it can be triggered by sending crafted container commands. Prerequisites include an environment using containerd's CRI, and the ability to intentionally cause a container process to fail its launch when TTY is requested. Risk factors increase if untrusted users have privileges to launch or interact with containers, or if there is a common pattern of container launch failures.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23471?
Available Upgrade Options
- github.com/containerd/containerd
- <1.5.16 → Upgrade to 1.5.16
- github.com/containerd/containerd
- >1.6.0, <1.6.12 → Upgrade to 1.6.12
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0
- https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9
- https://nvd.nist.gov/vuln/detail/CVE-2022-23471
- https://security.gentoo.org/glsa/202401-31
- https://github.com/containerd/containerd
- https://github.com/containerd/containerd/releases/tag/v1.5.16
- https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0
- https://github.com/containerd/containerd/commit/241563be06a3de8b6a849414c4e805b68d3bb295
- https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9
- https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9
What are Similar Vulnerabilities to CVE-2022-23471?
Similar Vulnerabilities: CVE-2021-22908 , CVE-2021-30465 , CVE-2020-17361 , CVE-2019-11253 , CVE-2018-1002100
