CVE-2022-31030: containerd denial of service vulnerability

On June 7, containerd issued a risk notice for the containerd denial of service vulnerability, which was tracked as CVE-2022-31030 with the CVSS score of 5.5. The denial of service attack occurred in container runtime interface implementations, most notably Containerd. Specifically, the exact same attack that exhausts memory in CRI-O can be used to exhaust the memory of Containerd. This flaw was reported by David Korczynski and Adam Korczynski of ADA Logics.

containerd is an industry-standard container runtime with an emphasis on simplicity, robustness, and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc. containerd is designed to be embedded into a larger system, rather than being used directly by developers or end-users.

A bug was found in containerd’s CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the ExecSync API. This can cause the containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd’s CRI implementation; ExecSync may be used when running probes or when executing processes via an “exec” facility.

CVE-2022-31030 has been fixed in containerd 1.6.6 and 1.5.13. It’s recommended that users update containerd immediately.