containerd CRI plugin: Host memory exhaustion through ExecSync
CVE-2022-31030

5.5MEDIUM

Key Information:

Vendor: Containerd
Status: Containerd
Vendor: CVE Published:; 9 June 2022

What is CVE-2022-31030?

containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the ExecSync API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; ExecSync may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.

Affected Version(s)

containerd < 1.5.13 < 1.5.13

containerd >= 1.6.0, < 1.6.6 < 1.6.0, 1.6.6

References

https://github.com/containerd/containerd/security/advisor...

https://github.com/containerd/containerd/commit/c1bcabb45...

http://www.openwall.com/lists/oss-security/2022/06/07/1

mailing-list

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2022
Vulnerability Reserved
May 18, 2022

Containerd

What is CVE-2022-31030?

Affected Version(s)

References

CVSS V3.1

Timeline