A vulnerability was found in CRI-O that causes memory exhaustion on the node for anyone with access to the kube api. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by cri-o after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory of the node when crio reads output of the command. References: https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j
CVE-2022-1708 Assigned.
Created conmon tracking bugs for this issue: Affects: fedora-all [bug 2094190] Created cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094187] Created cri-o:1.17/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094180] Created cri-o:1.18/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094181] Created cri-o:1.19/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094182] Created cri-o:1.20/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094183] Created cri-o:1.21/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094184] Created cri-o:1.22/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094185] Created cri-o:1.23/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094188] Created cri-o:1.24/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094189] Created cri-o:nightly/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2094186]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:4943 https://access.redhat.com/errata/RHSA-2022:4943
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2022:4972 https://access.redhat.com/errata/RHSA-2022:4972
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:4965 https://access.redhat.com/errata/RHSA-2022:4965
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2022:4951 https://access.redhat.com/errata/RHSA-2022:4951
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2022:4947 https://access.redhat.com/errata/RHSA-2022:4947
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2022:4999 https://access.redhat.com/errata/RHSA-2022:4999
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1708
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7457 https://access.redhat.com/errata/RHSA-2022:7457
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7469 https://access.redhat.com/errata/RHSA-2022:7469
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7529 https://access.redhat.com/errata/RHSA-2022:7529