Bug 2085361 (CVE-2022-1708)

Summary: CVE-2022-1708 cri-o: memory exhaustion on the node when access to the kube api
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahanwate, bfurtado, blaise, bmontgom, bradley.g.smith, container-sig, ebakerupw, eparis, jakubr, jburrell, jnovy, jokerman, lsm5, nstielau, pehunt, rh.container.bot, rphillips, ryncsn, santiago, saroy, security-response-team, sponnaga, umohnani, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cri-o 1.24.1, cri-o 1.23.3, cri-o 1.22.5, cri-o 1.21.8, cri-o 1.20.8, cri-o 1.19.7 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-21 20:36:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2089136, 2089569, 2089570, 2089571, 2089572, 2089573, 2090134, 2092917, 2093387, 2093388, 2093389, 2093390, 2093391, 2094036, 2094037, 2094038, 2094040, 2094041, 2094042, 2094180, 2094181, 2094182, 2094183, 2094184, 2094185, 2094186, 2094187, 2094188, 2094189, 2094190    
Bug Blocks: 2085363, 2085435    

Description TEJ RATHI 2022-05-13 06:36:59 UTC 
A vulnerability was found in CRI-O that causes memory exhaustion on the node for anyone with access to the kube api. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by cri-o after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory of the node when crio reads output of the command.

References: 
https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j
Comment 1 TEJ RATHI 2022-05-13 11:17:28 UTC 
CVE-2022-1708 Assigned.
Comment 12 Avinash Hanwate 2022-06-07 04:40:39 UTC 
Created conmon tracking bugs for this issue:

Affects: fedora-all [bug 2094190]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2094187]


Created cri-o:1.17/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2094180]


Created cri-o:1.18/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2094181]


Created cri-o:1.19/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2094182]


Created cri-o:1.20/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2094183]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2094184]


Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2094185]


Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2094188]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2094189]


Created cri-o:nightly/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2094186]
Comment 14 errata-xmlrpc 2022-06-13 14:37:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:4943 https://access.redhat.com/errata/RHSA-2022:4943
Comment 15 errata-xmlrpc 2022-06-14 11:49:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:4972 https://access.redhat.com/errata/RHSA-2022:4972
Comment 18 errata-xmlrpc 2022-06-16 10:01:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2022:4965 https://access.redhat.com/errata/RHSA-2022:4965
Comment 19 errata-xmlrpc 2022-06-16 17:13:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:4951 https://access.redhat.com/errata/RHSA-2022:4951
Comment 20 errata-xmlrpc 2022-06-17 05:38:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2022:4947 https://access.redhat.com/errata/RHSA-2022:4947
Comment 21 errata-xmlrpc 2022-06-21 16:57:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2022:4999 https://access.redhat.com/errata/RHSA-2022:4999
Comment 22 Product Security DevOps Team 2022-06-21 20:36:33 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1708
Comment 23 errata-xmlrpc 2022-11-08 09:11:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7457 https://access.redhat.com/errata/RHSA-2022:7457
Comment 24 errata-xmlrpc 2022-11-08 09:13:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7469 https://access.redhat.com/errata/RHSA-2022:7469
Comment 25 errata-xmlrpc 2022-11-08 09:28:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7529 https://access.redhat.com/errata/RHSA-2022:7529