CVE-2022-31030
Denial of Service vulnerability in github.com/containerd/containerd
What is CVE-2022-31030 About?
This vulnerability is a Denial of Service (DoS) bug in containerd's CRI implementation. Malicious programs inside a container can consume excessive memory during `ExecSync` API calls, leading to the exhaustion of memory on the host system. While requiring execution within a container, it can lead to a significant impact.
Affected Software
- github.com/containerd/containerd
- <1.5.13
- >1.6.0, <1.6.6
Technical Details
A bug exists in the Container Runtime Interface (CRI) implementation of containerd. When a program executing inside a container invokes the `ExecSync` API, a flaw allows it to cause the containerd daemon on the host to consume memory relentlessly and without bounds. This uncontrolled memory consumption can effectively exhaust all available memory on the computer where containerd is running. This memory exhaustion denies service not only to other legitimate containerized workloads but potentially the entire host system. Both Kubernetes and crictl, when configured to use containerd's CRI, may utilize `ExecSync` during activities like probe execution or general process execution via 'exec' facilities, making these common attack vectors. The core mechanism involves an unbounded memory leak or allocation triggered by the `ExecSync` call under specific conditions.
What is the Impact of CVE-2022-31030?
Successful exploitation may allow attackers to cause the containerd daemon to consume all available memory, leading to a denial of service for all legitimate workloads and potentially the underlying host system.
What is the Exploitability of CVE-2022-31030?
Exploitation of this vulnerability requires a program to be running inside a container, which represents a certain level of prerequisite access, although not necessarily high privileges initially. The complexity is moderate, involving the specific invocation of the `ExecSync` API in a way that triggers the memory consumption. No authentication is needed at the host level once code is executing within a container. Access is local to the container environment, but the impact is on the host. The primary constraint is the attacker's ability to execute arbitrary code within a container. Risk factors are increased in multi-tenant environments or when untrusted images and commands are permitted to run within containers leveraging containerd's CRI.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-31030?
Available Upgrade Options
- github.com/containerd/containerd
- <1.5.13 → Upgrade to 1.5.13
- github.com/containerd/containerd
- >1.6.0, <1.6.6 → Upgrade to 1.6.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.debian.org/security/2022/dsa-5162
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO
- http://www.openwall.com/lists/oss-security/2022/06/07/1
- https://osv.dev/vulnerability/GO-2022-0482
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/
- https://github.com/containerd/containerd
- http://www.openwall.com/lists/oss-security/2022/06/07/1
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD
- https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382
What are Similar Vulnerabilities to CVE-2022-31030?
Similar Vulnerabilities: CVE-2022-24434 , CVE-2022-22970 , CVE-2022-3517 , CVE-2022-25858 , CVE-2022-29078
