Vulnerability Details : CVE-2022-31030
containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used.
Products affected by CVE-2022-31030
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31030
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 22 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31030
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:N/A:P |
3.9
|
2.9
|
NIST | |
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST | |
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2022-31030
-
The product does not properly control the allocation and maintenance of a limited resource.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-31030
-
http://www.openwall.com/lists/oss-security/2022/06/07/1
oss-security - CVE-2022-31030: containerd CRI plugin: Host memory exhaustion through ExecSyncMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/
[SECURITY] Fedora 36 Update: golang-x-sys-0-23.20220604gitbc2c85a.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.debian.org/security/2022/dsa-5162
Debian -- Security Information -- DSA-5162-1 containerdThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/REOZCUAPCA7NFDWYBDYX6EYXWLHABKBO/
[SECURITY] Fedora 36 Update: golang-x-sys-0-23.20220604gitbc2c85a.fc36 - package-announce - Fedora Mailing-Lists
-
https://security.gentoo.org/glsa/202401-31
containerd: Multiple Vulnerabilities (GLSA 202401-31) — Gentoo security
-
https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf
containerd CRI plugin: Host memory exhaustion through ExecSync · Advisory · containerd/containerd · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/
[SECURITY] Fedora 35 Update: golang-github-containerd-cni-1.1.6-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSIGDBHAB3I75JBJNGWEPBTJPS2FOVHD/
[SECURITY] Fedora 35 Update: golang-github-containerd-cni-1.1.6-1.fc35 - package-announce - Fedora Mailing-Lists
-
https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382
Merge pull request from GHSA-5ffw-gxpp-mxpf · containerd/containerd@c1bcabb · GitHubProduct;Third Party Advisory
Jump to