The containerd community recently discovered vulnerability CVE-2022-31030, which is related to the Container Runtime Interface (CRI) implementation of containerd. This vulnerability allows the programs in a container to consume memory without limit during the invocation of the ExecSync API, which causes containerd to consume all available memory of the node on which the container runs. Attackers can exploit this vulnerability to launch DoS attacks. DoS attacks can be launched when the system uses the exec mechanism to run probes or lifecycle hooks.
CVE-2022-31030 is rated as medium severity.
Affected versions
The following containerd versions are affected:
- ≤ V1.5.12
- v1.6.0~v1.6.5
This vulnerability is fixed in the following Kubernetes versions:
- v1.5.13
- v1.6.6
For more information about this vulnerability, see CVE-2022-31030.
Mitigation
Perform the following operations to update the containerd version for the existing nodes in your cluster and revoke the permissions to deploy applications from untrusted users.
- Run the
kubectl drain
command to drain the node that you need to update. - Run the
systemctl stop kubelet
command to stop kubelet on the node. - Run the
systemctl stop containerd
command to stop containerd on the node. - Install the latest RPM package of containerd.
- Run the
systemctl start containerd
command to start containerd. - Run the
systemctl start kubelet
command to start kubelet. - After you update the containerd version for the node, run the
kubectl uncordon
command to change the node to the Schedulable state. - If you want to update the containerd version for other nodes, repeat Step 2 and the following steps.