Sign In

CVE-2022-31030

SOURCE - github

Summary

### Impact A bug was found in containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the ExecSync API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; ExecSync may be used when running probes or when executing processes via an "exec" facility. ### Patches This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images and commands are used. ### References * Similar fix in cri-o's CRI implementation https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j ### Credits The containerd project would like to thank David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the containerd security policy during a security audit sponsored by CNCF and facilitated by OSTIF. ### For more information If you have any questions or comments about this advisory: * Open an issue in containerd * Email us at security@containerd.io

EPSS Score: 0.00045 (0.135)

Common Weakness Enumeration (CWE)

SOURCE - nist

CWE-400

Uncontrolled Resource Consumption

SOURCE - github

CWE-400

Uncontrolled Resource Consumption

SOURCE - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-400

Uncontrolled Resource Consumption

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Sources (14)

Impacted images

nist

CREATED

UPDATED

SOURCE IDCVE-2022-31030
EXPLOITABILITY SCORE

1.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-400

CVSS SCORE

5.5medium

github

CREATED

UPDATED

SOURCE IDGHSA-5ffw-gxpp-mxpf
EXPLOITABILITY SCORE

1.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-400

CVSS SCORE

5.5medium

alpine

CREATED

UPDATED

SOURCE IDCVE-2022-31030
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

debian

CREATED

UPDATED

SOURCE IDCVE-2022-31030
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

ubuntu

CREATED

UPDATED

SOURCE IDCVE-2022-31030
EXPLOITABILITY SCORE

1.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

5.5medium

gitlab

CREATED

UPDATED

SOURCE ID

CVE-2022-31030

EXPLOITABILITY SCORE

1.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1035CWE-400CWE-937

CVSS SCORE

5.5medium

amazon

CREATED

UPDATED

SOURCE IDALAS-2022-1600
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

amazon

CREATED

UPDATED

SOURCE IDALAS2023-2023-079
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

amazon

CREATED

UPDATED

SOURCE IDALAS2022-2022-088
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

amazon

CREATED

UPDATED

SOURCE IDALAS2022-2022-156
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

amazon

CREATED

UPDATED

SOURCE IDALAS2022-2022-210
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

suse

CREATED

UPDATED

SOURCE IDCVE-2022-31030
EXPLOITABILITY SCORE

1.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

5.5medium

chainguard

CREATED

UPDATED

SOURCE ID

CVE-2022-31030

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

wolfi

CREATED

UPDATED

SOURCE ID

CVE-2022-31030

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE