Bug 2085361 (CVE-2022-1708)
Summary: | CVE-2022-1708 cri-o: memory exhaustion on the node when access to the kube api | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ahanwate, bfurtado, blaise, bmontgom, bradley.g.smith, container-sig, ebakerupw, eparis, jakubr, jburrell, jnovy, jokerman, lsm5, nstielau, pehunt, rh.container.bot, rphillips, ryncsn, santiago, saroy, security-response-team, sponnaga, umohnani, vkumar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | cri-o 1.24.1, cri-o 1.23.3, cri-o 1.22.5, cri-o 1.21.8, cri-o 1.20.8, cri-o 1.19.7 | Doc Type: | If docs needed, set a value |
Doc Text: |
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-06-21 20:36:36 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2089136, 2089569, 2089570, 2089571, 2089572, 2089573, 2090134, 2092917, 2093387, 2093388, 2093389, 2093390, 2093391, 2094036, 2094037, 2094038, 2094040, 2094041, 2094042, 2094180, 2094181, 2094182, 2094183, 2094184, 2094185, 2094186, 2094187, 2094188, 2094189, 2094190 | ||
Bug Blocks: | 2085363, 2085435 |
Description
TEJ RATHI
2022-05-13 06:36:59 UTC
CVE-2022-1708 Assigned. Created conmon tracking bugs for this issue: Affects: fedora-all [bug 2094190] Created cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094187] Created cri-o:1.17/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094180] Created cri-o:1.18/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094181] Created cri-o:1.19/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094182] Created cri-o:1.20/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094183] Created cri-o:1.21/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094184] Created cri-o:1.22/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094185] Created cri-o:1.23/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094188] Created cri-o:1.24/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094189] Created cri-o:nightly/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094186] This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:4943 https://access.redhat.com/errata/RHSA-2022:4943 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2022:4972 https://access.redhat.com/errata/RHSA-2022:4972 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:4965 https://access.redhat.com/errata/RHSA-2022:4965 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2022:4951 https://access.redhat.com/errata/RHSA-2022:4951 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2022:4947 https://access.redhat.com/errata/RHSA-2022:4947 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2022:4999 https://access.redhat.com/errata/RHSA-2022:4999 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1708 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7457 https://access.redhat.com/errata/RHSA-2022:7457 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7469 https://access.redhat.com/errata/RHSA-2022:7469 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7529 https://access.redhat.com/errata/RHSA-2022:7529 |