The Kubernetes community recently discovered vulnerability CVE-2022-23471, which can be exploited to launch Denial-of-Service (DoS) attacks. Attackers can use a custom terminal to submit a teletypewriter (TTY) request. The request may lead to memory leaks on the node. As a result, the memory of the node is exhausted.
CVE-2022-23471 is rated as medium severity. The Common Vulnerability Scoring System (CVSS) score of this vulnerability is 6.5.
Affected versions
The following containerd versions are affected:
- v1.6.0~v1.6.11
- <v1.5.16
This vulnerability is fixed in the following containerd versions:
- v1.6.12
- v1.5.16
For more information about this vulnerability, see CVE-2022-23741.
Impacts
In the CRI stream server, a goroutine is launched to handle the resize events on the
terminal if a TTY request is initiated by an exec or attach operation. If the process fails to launch due to errors such as a faulty command,
the goroutine will be stuck because no receiver exists. This results in a memory leak.
Clusters that use the containerd runtime are affected by this vulnerability.
Mitigation
- Make sure that only trusted images are used to deploy applications in your cluster.
- Grant only trusted users the permissions to run commands in containers that are deployed in your cluster.