CVE-2022-1708 — Uncontrolled Resource Consumption in Redhat Openshift Container Platform

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling7 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 36.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Cri-o Cri-o Kubernetes Cri-o Fedoraproject Fedora +2 more

Timeline

PublishedJun 7

Latest updateAug 21

Description

A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDkubernetes/cri-o1.20.0 — 1.20.8+5

▶CVEListV5kubernetes/cri-oAffects cri-o <= 1.24.0, 1.23.2, 1.22.4, Fixed-in 1.24.1, 1.23.3, 1.22.5

▶Gogithub.com/cri-o_cri-o1.24.0 — 1.24.1+2

Also affects: Openshift Container Platform 3.11, 4.0, 4.10, 4.9, Fedora 36, Enterprise Linux 7.0, 8.0, 9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Node DOS by way of memory exhaustion through ExecSync request in CRI-O in github.com/cri-o/cri-o↗2024-08-21

▶

CVEList

CVE-2022-1708: A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API↗2022-06-07

▶

GHSA

Node DOS by way of memory exhaustion through ExecSync request in CRI-O↗2022-06-06

▶

OSV

Node DOS by way of memory exhaustion through ExecSync request in CRI-O↗2022-06-06

▶

📋Vendor Advisories

Microsoft

▶

Red Hat

cri-o: memory exhaustion on the node when access to the kube api↗2022-06-06

▶