=====================================================================

                                  CERT-Renater

                       Note d'Information No. 2022/VULN199

_____________________________________________________________________

DATE                : 09/06/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running containerd versions prior to
                                    1.5.13, 1.6.6.

=====================================================================
https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf
_____________________________________________________________________

containerd CRI plugin: Host memory exhaustion through ExecSync


Moderate
dmcgowan published GHSA-5ffw-gxpp-mxpf


Package
No package listed

Affected versions
<= 1.5.12, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5

Patched versions
1.5.13, 1.6.6


Description

Impact

A bug was found in containerd's CRI implementation where programs inside 
a container can cause the containerd daemon to consume memory without 
bound during invocation of the ExecSync API. This can cause containerd 
to consume all available memory on the computer, denying service to 
other legitimate workloads. Kubernetes and crictl can both be configured 
to use containerd's CRI implementation; ExecSync may be used when 
running probes or when executing processes via an "exec" facility.


Patches

This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should 
update to these versions to resolve the issue.


Workarounds

Ensure that only trusted images and commands are used.


References

     Similar fix in cri-o's CRI implementation GHSA-fcm2-6c3h-pg6j


Credits

The containerd project would like to thank David Korczynski and Adam 
Korczynski of ADA Logics for responsibly disclosing this issue in 
accordance with the containerd security policy during a security audit 
sponsored by CNCF and facilitated by OSTIF.


For more information

If you have any questions or comments about this advisory:

     Open an issue in containerd
     Email us at security@containerd.io


Severity
Moderate

CVE ID
CVE-2022-31030

Weaknesses
No CWEs


Credits

     @DavidKorczynski DavidKorczynski
     @AdamKorcz AdamKorcz



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================