Bug 2151890 (CVE-2022-23471)

Summary: CVE-2022-23471 containerd: host memory exhaustion
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: containerd 1.6.12 and 1.5.16 Doc Type: ---
Doc Text:
A bug was found in containerd's CRI implementation where a user can exhaust memory on the host, leading to memory leak and resource exhaustion.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-10 22:32:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2151891    
Bug Blocks: 2191699    

Description ybuenos 2022-12-08 13:37:25 UTC 
containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.
Comment 1 ybuenos 2022-12-08 13:37:38 UTC 
Created containerd tracking bugs for this issue:

Affects: fedora-all [bug 2151891]
Comment 2 Product Security DevOps Team 2022-12-10 22:32:56 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.