#VU70039 Resource exhaustion in containerd - CVE-2022-23471


Vulnerability identifier: #VU70039

Vulnerability risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-23471

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
containerd
Other software / Other software solutions

Vendor: containerd

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in containerd CRI stream server when handling terminal resize events. A remote user can request a TTY and force it to fail by sending a faulty command and exhaust memory on the host.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

containerd: 1.0.0 - 1.0.3, 1.1.0 - 1.1.8, 1.2.0 - 1.2.14, 1.3.0 - 1.3.10, 1.4.0 - 1.4.13, 1.5.0 - 1.5.15, 1.6.0 - 1.6.11

External links
http://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9
http://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Transformation Advisor
Multiple vulnerabilities in IBM Cloud Pak for Data
Multiple vulnerabilities in IBM Concert
Amazon Linux AMI update for containerd
Multiple vulnerabilities in IBM Db2 on Cloud Pak for Data
Resource exhaustion in Data Replication on Cloud Pak for Data
Multiple vulnerabilities in IBM QRadar Suite Software
Multiple vulnerabilities in IBM Cloud Pak for Data Scheduling
Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data
Gentoo update for containerd