The containerd community recently discovered vulnerability CVE-2022-31030, which is related to the Container Runtime Interface (CRI) implementation of containerd. This vulnerability allows the programs in a container to consume memory without limit during the invocation of the ExecSync API, which causes containerd to consume all available memory of the node on which the container runs. Attackers can exploit this vulnerability to launch DoS attacks. DoS attacks can be launched when the system uses the exec mechanism to run probes or lifecycle hooks.

CVE-2022-31030 is rated as medium severity.

Affected versions

The following containerd versions are affected:

  • ≤ V1.5.12
  • v1.6.0~v1.6.5

This vulnerability is fixed in the following Kubernetes versions:

  • v1.5.13
  • v1.6.6
Note Only the nodes in the node pools that use the containerd runtime are affected by this vulnerability.

For more information about this vulnerability, see CVE-2022-31030.

Mitigation

Perform the following operations to update the containerd version for the existing nodes in your cluster and revoke the permissions to deploy applications from untrusted users.

  1. Run the kubectl drain command to drain the node that you need to update.
  2. Run the systemctl stop kubelet command to stop kubelet on the node.
  3. Run the systemctl stop containerd command to stop containerd on the node.
  4. Install the latest RPM package of containerd.
  5. Run the systemctl start containerd command to start containerd.
  6. Run the systemctl start kubelet command to start kubelet.
  7. After you update the containerd version for the node, run the kubectl uncordon command to change the node to the Schedulable state.
  8. If you want to update the containerd version for other nodes, repeat Step 2 and the following steps.