CVE-2022-31030

EPSS 0.11%
Published 09.06.2022 14:15:08
Last modified 21.11.2024 07:03:44
Source security-advisories@github.com
Teams watchlist Login
Open Login

containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.

Affected products Warnungen 0 Metrics 4 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Linuxfoundation ≫ Containerd Version < 1.5.13

Linuxfoundation ≫ Containerd Version >= 1.6.0 < 1.6.6

Debian ≫ Debian Linux Version11.0

Fedoraproject ≫ Fedora Version35

Fedoraproject ≫ Fedora Version36

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.11%	0.298

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://security.gentoo.org/glsa/202401-31

https://www.debian.org/security/2022/dsa-5162

Third Party Advisory

http://www.openwall.com/lists/oss-security/2022/06/07/1

Third Party Advisory

Mailing List

https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382

Third Party Advisory

Product

https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/

https://nvd.nist.gov/vuln/detail/CVE-2022-31030

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-31030

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-31030

EUVD