CVE-2022-1708

moderate-risk

Published 2022-06-07

A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.

Do I need to act?

0.45% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (10)

Cri-O

Fedora

Openshift Container Platform

Enterprise Linux

Affected Vendors

Redhat Fedoraproject Kubernetes

References (6)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2085361

Patch https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544

Exploit https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2085361

Patch https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544

Exploit https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 2/34 · Minimal

Exposure 16/34 · Moderate