Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-1708 (GCVE-0-2022-1708)
Vulnerability from cvelistv5 – Published: 2022-06-07 17:43 – Updated: 2024-08-03 00:10
VLAI
EPSS
Summary
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.
Severity
No CVSS data available.
CWE
- CWE-400 - - Uncontrolled Resource Consumption
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2085361 | x_refsource_MISC |
| https://github.com/cri-o/cri-o/security/advisorie… | x_refsource_MISC |
| https://github.com/cri-o/cri-o/commit/f032cf649ec… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.930Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085361"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CRI-O",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Affects cri-o \u003c= 1.24.0, 1.23.2, 1.22.4, Fixed-in 1.24.1, 1.23.3, 1.22.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 - Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-07T17:43:56.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085361"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-1708",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CRI-O",
"version": {
"version_data": [
{
"version_value": "Affects cri-o \u003c= 1.24.0, 1.23.2, 1.22.4, Fixed-in 1.24.1, 1.23.3, 1.22.5"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 - Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2085361",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085361"
},
{
"name": "https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j",
"refsource": "MISC",
"url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j"
},
{
"name": "https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544",
"refsource": "MISC",
"url": "https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-1708",
"datePublished": "2022-06-07T17:43:56.000Z",
"dateReserved": "2022-05-13T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:10:03.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-1708",
"date": "2026-05-27",
"epss": "0.00464",
"percentile": "0.64509"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.19.7\", \"matchCriteriaId\": \"E25362D4-3C3F-48AF-81AE-50CE805F974A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.20.0\", \"versionEndExcluding\": \"1.20.8\", \"matchCriteriaId\": \"67C3A477-64E2-46BD-9E44-47FB9ED115F3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.21.0\", \"versionEndExcluding\": \"1.21.8\", \"matchCriteriaId\": \"2CF3C397-08CE-4AF8-A168-2A770B2AE3DF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.22.0\", \"versionEndExcluding\": \"1.22.5\", \"matchCriteriaId\": \"B6158FA5-6970-4A24-8D7D-5AC9F2C71BA7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.23.0\", \"versionEndExcluding\": \"1.23.3\", \"matchCriteriaId\": \"95D97A9E-BD57-4E36-8D81-B54CFB11ECF1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:kubernetes:cri-o:1.24.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"66A6A88D-64CF-4C2B-99C3-202DE455D50C\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2F87326E-0B56-4356-A889-73D026DB1D4B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"932D137F-528B-4526-9A89-CD59FA1AB0FE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openshift_container_platform:4.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"81609549-25CE-4C8A-9DE3-170D23704208\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0595C9F8-9C7A-4FC1-B7EE-52978A1B1E93\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F4CFF558-3C47-480D-A2F0-BABF26042943\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7F6FB57C-2BC7-487C-96DD-132683AEB35D\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.\"}, {\"lang\": \"es\", \"value\": \"Se ha encontrado una vulnerabilidad en CRI-O que causa el agotamiento de la memoria o del espacio en disco en el nodo para cualquiera que tenga acceso a la API de Kube. La petici\\u00f3n ExecSync ejecuta comandos en un contenedor y registra la salida del comando. Esta salida es le\\u00edda por CRI-O despu\\u00e9s de la ejecuci\\u00f3n del comando, y es le\\u00edda de manera que el archivo completo correspondiente a la salida del comando es le\\u00eddo. As\\u00ed, si la salida del comando es grande es posible agotar la memoria o el espacio en disco del nodo cuando CRI-O lee la salida del comando. La mayor amenaza de esta vulnerabilidad es la disponibilidad del sistema\"}]",
"id": "CVE-2022-1708",
"lastModified": "2024-11-21T06:41:17.743",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:C\", \"baseScore\": 7.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2022-06-07T18:15:11.640",
"references": "[{\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2085361\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2085361\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-770\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-1708\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2022-06-07T18:15:11.640\",\"lastModified\":\"2024-11-21T06:41:17.743\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.\"},{\"lang\":\"es\",\"value\":\"Se ha encontrado una vulnerabilidad en CRI-O que causa el agotamiento de la memoria o del espacio en disco en el nodo para cualquiera que tenga acceso a la API de Kube. La petici\u00f3n ExecSync ejecuta comandos en un contenedor y registra la salida del comando. Esta salida es le\u00edda por CRI-O despu\u00e9s de la ejecuci\u00f3n del comando, y es le\u00edda de manera que el archivo completo correspondiente a la salida del comando es le\u00eddo. As\u00ed, si la salida del comando es grande es posible agotar la memoria o el espacio en disco del nodo cuando CRI-O lee la salida del comando. La mayor amenaza de esta vulnerabilidad es la disponibilidad del sistema\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:C\",\"baseScore\":7.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.19.7\",\"matchCriteriaId\":\"E25362D4-3C3F-48AF-81AE-50CE805F974A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.20.0\",\"versionEndExcluding\":\"1.20.8\",\"matchCriteriaId\":\"67C3A477-64E2-46BD-9E44-47FB9ED115F3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.21.0\",\"versionEndExcluding\":\"1.21.8\",\"matchCriteriaId\":\"2CF3C397-08CE-4AF8-A168-2A770B2AE3DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.22.0\",\"versionEndExcluding\":\"1.22.5\",\"matchCriteriaId\":\"B6158FA5-6970-4A24-8D7D-5AC9F2C71BA7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.23.0\",\"versionEndExcluding\":\"1.23.3\",\"matchCriteriaId\":\"95D97A9E-BD57-4E36-8D81-B54CFB11ECF1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubernetes:cri-o:1.24.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"66A6A88D-64CF-4C2B-99C3-202DE455D50C\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F87326E-0B56-4356-A889-73D026DB1D4B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"932D137F-528B-4526-9A89-CD59FA1AB0FE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"81609549-25CE-4C8A-9DE3-170D23704208\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0595C9F8-9C7A-4FC1-B7EE-52978A1B1E93\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4CFF558-3C47-480D-A2F0-BABF26042943\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F6FB57C-2BC7-487C-96DD-132683AEB35D\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2085361\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2085361\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
}
}
alsa-2022:7469
Vulnerability from osv_almalinux
Published
2022-11-08 00:00
Modified
2023-01-03 12:15
Summary
Moderate: container-tools:4.0 security and bug fix update
Details
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Security Fix(es):
- cri-o: memory exhaustion on the node when access to the kube api (CVE-2022-1708)
- golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)
- runc: incorrect handling of inheritable capabilities (CVE-2022-29162)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "aardvark-dns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1.0.1-35.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "buildah"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.24.5-2.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "buildah-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.24.5-2.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "cockpit-podman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "46-1.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "conmon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.1.4-1.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "container-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.189.0-1.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "containernetworking-plugins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.1.1-2.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "containers-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1-35.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crun"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5-1.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "fuse-overlayfs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9-1.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.0-1.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.0-1.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.0-1.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.0-1.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "netavark"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1.0.1-35.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "oci-seccomp-bpf-hook"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.5-1.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:4.0.2-8.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-catatonit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:4.0.2-8.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-docker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:4.0.2-8.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-gvproxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:4.0.2-8.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-plugins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:4.0.2-8.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-remote"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:4.0.2-8.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:4.0.2-8.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python3-criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python3-criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-3.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python3-podman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0-1.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "runc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.1.4-1.module_el8.7.0+3344+484dae7b"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "skopeo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1.6.2-5.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "skopeo-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:1.6.2-5.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "slirp4netns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.8-2.module_el8.6.0+2877+8e437bf5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "slirp4netns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.8-2.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "toolbox"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.99.3-0.5.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "toolbox-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.99.3-0.5.module_el8.7.0+3344+5bcd850f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "udica"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.6-3.module_el8.6.0+2886+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "udica"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.6-3.module_el8.6.0+3137+d33c3efb"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* cri-o: memory exhaustion on the node when access to the kube api (CVE-2022-1708)\n* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)\n* runc: incorrect handling of inheritable capabilities (CVE-2022-29162)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"id": "ALSA-2022:7469",
"modified": "2023-01-03T12:15:28Z",
"published": "2022-11-08T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:7469"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1708"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-27191"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-29162"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2064702"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2085361"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2086398"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2022-7469.html"
}
],
"related": [
"CVE-2022-1708",
"CVE-2022-27191",
"CVE-2022-29162"
],
"summary": "Moderate: container-tools:4.0 security and bug fix update"
}
alsa-2022:7529
Vulnerability from osv_almalinux
Published
2022-11-08 00:00
Modified
2023-01-03 12:15
Summary
Moderate: container-tools:3.0 security update
Details
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Security Fix(es):
- golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
- cri-o: memory exhaustion on the node when access to the kube api (CVE-2022-1708)
- golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
- prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
- golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
- golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
- golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
- golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
- golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
- golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "buildah"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.9-6.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "buildah-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.9-6.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "cockpit-podman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "29-2.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "conmon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.0.26-3.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "container-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.189.0-1.module_el8.7.0+3406+a17c4180"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "container-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.189.0-1.module_el8.6.0+3336+00d107d5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "container-selinux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.189.0-1.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "containernetworking-plugins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "containernetworking-plugins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "containers-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.2.4-2.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crun"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.18-3.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "crun"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.18-3.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "fuse-overlayfs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.0-2.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "fuse-overlayfs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.0-2.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "libslirp-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "oci-seccomp-bpf-hook"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0-3.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "oci-seccomp-bpf-hook"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0-3.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1-13.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-catatonit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1-13.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-docker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1-13.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-plugins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1-13.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-remote"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1-13.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "podman-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1-13.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python3-criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "python3-criu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "runc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-73.rc95.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "runc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-73.rc95.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "skopeo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.2.4-2.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "skopeo-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.2.4-2.module_el8.7.0+3297+1eb250cf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "slirp4netns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.8-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "slirp4netns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.8-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "toolbox"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.99.3-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "toolbox"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.99.3-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "toolbox-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.99.3-1.module_el8.6.0+3136+bfcd65b6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "toolbox-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.99.3-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "udica"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.4-1.module_el8.6.0+2876+9ed4eae2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n* cri-o: memory exhaustion on the node when access to the kube api (CVE-2022-1708)\n* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)\n* prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)\n* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"id": "ALSA-2022:7529",
"modified": "2023-01-03T12:15:28Z",
"published": "2022-11-08T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:7529"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1705"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1708"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-1962"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-21698"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-28131"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30630"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30631"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30632"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-30633"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-32148"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2045880"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2085361"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107342"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107371"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107374"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107376"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107383"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107386"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107390"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2107392"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2022-7529.html"
}
],
"related": [
"CVE-2022-1705",
"CVE-2022-1708",
"CVE-2022-1962",
"CVE-2022-21698",
"CVE-2022-28131",
"CVE-2022-30630",
"CVE-2022-30631",
"CVE-2022-30632",
"CVE-2022-30633",
"CVE-2022-32148"
],
"summary": "Moderate: container-tools:3.0 security update"
}
BDU:2022-03768
Vulnerability from fstec - Published: 07.06.2022
VLAI
Title
Уязвимость программы мониторинга связи между менеджером контейнеров и средой выполнения conmon, связанная с неконтролируемым потреблением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
Description
Уязвимость программы мониторинга связи между менеджером контейнеров и средой выполнения conmon связана с неконтролируемым потреблением ресурсов. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, вызвать отказ в обслуживании с помощью специально сформированного запроса ExecSync
Severity
Vendor
Red Hat Inc., ООО «Ред Софт», ФССП России, Сообщество свободного программного обеспечения
Software Name
Red Hat Enterprise Linux, РЕД ОС (запись в едином реестре российских программ №3751), ОС ТД АИС ФССП России, Red Hat OpenShift Container Platform, conmon, CRI-O
Software Version
7 (Red Hat Enterprise Linux), 8 (Red Hat Enterprise Linux), 7.3 (РЕД ОС), ИК6 (ОС ТД АИС ФССП России), 3.11 (Red Hat OpenShift Container Platform), до 2.1.2 (conmon), до 1.24.1 (CRI-O), до 1.23.3 (CRI-O), до 1.22.5 (CRI-O), до 1.21.8 (CRI-O), до 1.20.8 (CRI-O), до 1.19.7 (CRI-O), 4.10 (Red Hat OpenShift Container Platform), 4.6 (Red Hat OpenShift Container Platform), 4.7 (Red Hat OpenShift Container Platform), 4.8 (Red Hat OpenShift Container Platform), 4.9 (Red Hat OpenShift Container Platform)
Possible Mitigations
Использование рекомендаций:
Для conmon:
https://redos.red-soft.ru/support/secure/uyazvimosti/otkaz-v-obsluzhivanii-v-conmon-cve-2022-1708/?sphrase_id=35867
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
https://github.com/containers/conmon/releases
Для CRI-O:
https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j
https://bugzilla.redhat.com/show_bug.cgi?id=2085361
Для РЕД ОС:
https://redos.red-soft.ru/support/secure/uyazvimosti/otkaz-v-obsluzhivanii-v-conmon-cve-2022-1708/?sphrase_id=35867
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2022-1708
Для ОС ТД АИС ФССП России:
https://goslinux.fssp.gov.ru/2726972/
Reference
https://github.com/containers/conmon/releases
https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544
https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j
https://redos.red-soft.ru/support/secure/uyazvimosti/otkaz-v-obsluzhivanii-v-conmon-cve-2022-1708/?sphrase_id=35867
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
https://access.redhat.com/security/cve/cve-2022-1708
https://bugzilla.redhat.com/show_bug.cgi?id=2085361
https://www.cybersecurity-help.cz/vdb/SB2022061806
https://vuldb.com/?id.201386
https://goslinux.fssp.gov.ru/2726972/
CWE
CWE-400
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Red Hat Inc., \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7 (Red Hat Enterprise Linux), 8 (Red Hat Enterprise Linux), 7.3 (\u0420\u0415\u0414 \u041e\u0421), \u0418\u041a6 (\u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438), 3.11 (Red Hat OpenShift Container Platform), \u0434\u043e 2.1.2 (conmon), \u0434\u043e 1.24.1 (CRI-O), \u0434\u043e 1.23.3 (CRI-O), \u0434\u043e 1.22.5 (CRI-O), \u0434\u043e 1.21.8 (CRI-O), \u0434\u043e 1.20.8 (CRI-O), \u0434\u043e 1.19.7 (CRI-O), 4.10 (Red Hat OpenShift Container Platform), 4.6 (Red Hat OpenShift Container Platform), 4.7 (Red Hat OpenShift Container Platform), 4.8 (Red Hat OpenShift Container Platform), 4.9 (Red Hat OpenShift Container Platform)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\n\u0414\u043b\u044f conmon:\nhttps://redos.red-soft.ru/support/secure/uyazvimosti/otkaz-v-obsluzhivanii-v-conmon-cve-2022-1708/?sphrase_id=35867\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\nhttps://github.com/containers/conmon/releases\n\n\u0414\u043b\u044f CRI-O:\nhttps://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2085361\n\n\u0414\u043b\u044f \u0420\u0415\u0414 \u041e\u0421:\nhttps://redos.red-soft.ru/support/secure/uyazvimosti/otkaz-v-obsluzhivanii-v-conmon-cve-2022-1708/?sphrase_id=35867\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2022-1708\n\n\u0414\u043b\u044f \u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438:\nhttps://goslinux.fssp.gov.ru/2726972/",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "07.06.2022",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "27.06.2022",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "27.06.2022",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-03768",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-1708",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Red Hat Enterprise Linux, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438, Red Hat OpenShift Container Platform, conmon, CRI-O",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Red Hat Inc. Red Hat Enterprise Linux 7 , Red Hat Inc. Red Hat Enterprise Linux 8 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438 \u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438 \u0418\u041a6 ",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u044b \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0441\u0432\u044f\u0437\u0438 \u043c\u0435\u0436\u0434\u0443 \u043c\u0435\u043d\u0435\u0434\u0436\u0435\u0440\u043e\u043c \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u043e\u0432 \u0438 \u0441\u0440\u0435\u0434\u043e\u0439 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f conmon, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u044b\u043c \u043f\u043e\u0442\u0440\u0435\u0431\u043b\u0435\u043d\u0438\u0435\u043c \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u044b\u0439 \u0440\u0430\u0441\u0445\u043e\u0434 \u0440\u0435\u0441\u0443\u0440\u0441\u0430 (\u00ab\u0418\u0441\u0442\u043e\u0449\u0435\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u00bb) (CWE-400)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u044b \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0441\u0432\u044f\u0437\u0438 \u043c\u0435\u0436\u0434\u0443 \u043c\u0435\u043d\u0435\u0434\u0436\u0435\u0440\u043e\u043c \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u043e\u0432 \u0438 \u0441\u0440\u0435\u0434\u043e\u0439 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f conmon \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u044b\u043c \u043f\u043e\u0442\u0440\u0435\u0431\u043b\u0435\u043d\u0438\u0435\u043c \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u0437\u0430\u043f\u0440\u043e\u0441\u0430 ExecSync",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u0441\u0447\u0435\u0440\u043f\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/containers/conmon/releases\nhttps://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544\nhttps://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j\nhttps://redos.red-soft.ru/support/secure/uyazvimosti/otkaz-v-obsluzhivanii-v-conmon-cve-2022-1708/?sphrase_id=35867\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\nhttps://access.redhat.com/security/cve/cve-2022-1708\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2085361\nhttps://www.cybersecurity-help.cz/vdb/SB2022061806\nhttps://vuldb.com/?id.201386\nhttps://goslinux.fssp.gov.ru/2726972/",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-400",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}
FKIE_CVE-2022-1708
Vulnerability from fkie_nvd - Published: 2022-06-07 18:15 - Updated: 2024-11-21 06:41
Severity
Summary
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2085361 | Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544 | Patch | |
| secalert@redhat.com | https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2085361 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| kubernetes | cri-o | * | |
| kubernetes | cri-o | * | |
| kubernetes | cri-o | * | |
| kubernetes | cri-o | * | |
| kubernetes | cri-o | * | |
| kubernetes | cri-o | 1.24.0 | |
| fedoraproject | fedora | 36 | |
| redhat | openshift_container_platform | 3.11 | |
| redhat | openshift_container_platform | 4.0 | |
| redhat | openshift_container_platform | 4.9 | |
| redhat | openshift_container_platform | 4.10 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 8.0 | |
| redhat | enterprise_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E25362D4-3C3F-48AF-81AE-50CE805F974A",
"versionEndExcluding": "1.19.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*",
"matchCriteriaId": "67C3A477-64E2-46BD-9E44-47FB9ED115F3",
"versionEndExcluding": "1.20.8",
"versionStartIncluding": "1.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CF3C397-08CE-4AF8-A168-2A770B2AE3DF",
"versionEndExcluding": "1.21.8",
"versionStartIncluding": "1.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B6158FA5-6970-4A24-8D7D-5AC9F2C71BA7",
"versionEndExcluding": "1.22.5",
"versionStartIncluding": "1.22.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95D97A9E-BD57-4E36-8D81-B54CFB11ECF1",
"versionEndExcluding": "1.23.3",
"versionStartIncluding": "1.23.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:kubernetes:cri-o:1.24.0:*:*:*:*:*:*:*",
"matchCriteriaId": "66A6A88D-64CF-4C2B-99C3-202DE455D50C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
"matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "81609549-25CE-4C8A-9DE3-170D23704208",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "0595C9F8-9C7A-4FC1-B7EE-52978A1B1E93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad en CRI-O que causa el agotamiento de la memoria o del espacio en disco en el nodo para cualquiera que tenga acceso a la API de Kube. La petici\u00f3n ExecSync ejecuta comandos en un contenedor y registra la salida del comando. Esta salida es le\u00edda por CRI-O despu\u00e9s de la ejecuci\u00f3n del comando, y es le\u00edda de manera que el archivo completo correspondiente a la salida del comando es le\u00eddo. As\u00ed, si la salida del comando es grande es posible agotar la memoria o el espacio en disco del nodo cuando CRI-O lee la salida del comando. La mayor amenaza de esta vulnerabilidad es la disponibilidad del sistema"
}
],
"id": "CVE-2022-1708",
"lastModified": "2024-11-21T06:41:17.743",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-07T18:15:11.640",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085361"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085361"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-FCM2-6C3H-PG6J
Vulnerability from github – Published: 2022-06-06 21:50 – Updated: 2023-07-24 19:33
VLAI
Summary
Node DOS by way of memory exhaustion through ExecSync request in CRI-O
Details
Description
An ExecSync request runs a command in a container and returns the output to the Kubelet. It is used for readiness and liveness probes within a pod. The way CRI-O runs ExecSync commands is through conmon. CRI-O asks conmon to start the process, and conmon writes the output to disk. CRI-O then reads the output and returns it to the Kubelet.
If the output of the command is large enough, it is possible to exhaust the memory (or disk usage) of the node. The following deployment is an example yaml file that will output around 8GB of ‘A’ characters, which would be written to disk by conmon and read by CRI-O.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment100
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "seq 1 50000000`; do echo -n 'aaaaaaaaaaaaaaaa'; done"]
Impact
It is possible for the node to be exhausted of memory or disk space, depending on the node the command is being run on. What is further problematic is that the memory and disk usage aren't attributed to the container, as this file and its processing are implementation details of CRI-O. The consequence of the exhaustion is that other services on the node, e.g. other containers, will be unable to allocate memory and thus causing a denial of service.
Patches
This vulnerability will be fixed in 1.24.1, 1.23.3, 1.22.5, v1.21.8, v1.20.8, v1.19.7
Workarounds
At the time of writing, no workaround exists other than ensuring only trusted images are used.
References
https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf
For more information
If you have any questions or comments about this advisory: * Open an issue in the CRI-O repo * To make a report, email your vulnerability to the private cncf-crio-security@lists.cncf.io list with the security details and the details expected for all CRI-O bug reports.
Credits
Disclosed by Ada Logics in a security audit sponsored by CNCF and facilitated by OSTIF.
Severity
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/cri-o/cri-o"
},
"ranges": [
{
"events": [
{
"introduced": "1.24.0"
},
{
"fixed": "1.24.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.24.0"
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/cri-o/cri-o"
},
"ranges": [
{
"events": [
{
"introduced": "1.23.0"
},
{
"fixed": "1.23.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/cri-o/cri-o"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.22.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1708"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-06T21:50:21Z",
"nvd_published_at": "2022-06-07T18:15:00Z",
"severity": "HIGH"
},
"details": "### Description\nAn ExecSync request runs a command in a container and returns the output to the Kubelet. It is used for readiness and liveness probes within a pod. The way CRI-O runs ExecSync commands is through conmon. CRI-O asks conmon to start the process, and conmon writes the output to disk. CRI-O then reads the output and returns it to the Kubelet.\n\nIf the output of the command is large enough, it is possible to exhaust the memory (or disk usage) of the node. The following deployment is an example yaml file that will output around 8GB of \u2018A\u2019 characters, which would be written to disk by conmon and read by CRI-O.\n\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: nginx-deployment100\nspec:\n selector:\n matchLabels:\n app: nginx\n replicas: 2\n template:\n metadata:\n labels:\n app: nginx\n spec:\n containers:\n - name: nginx\n image: nginx:1.14.2\n lifecycle:\n postStart:\n exec:\n command: [\"/bin/sh\", \"-c\", \"seq 1 50000000`; do echo -n \u0027aaaaaaaaaaaaaaaa\u0027; done\"]\n```\n\n### Impact\nIt is possible for the node to be exhausted of memory or disk space, depending on the node the command is being run on. What is further problematic is that the memory and disk usage aren\u0027t attributed to the container, as this file and its processing are implementation details of CRI-O. The consequence of the exhaustion is that other services on the node, e.g. other containers, will be unable to allocate memory and thus causing a denial of service.\n\n### Patches\nThis vulnerability will be fixed in 1.24.1, 1.23.3, 1.22.5, v1.21.8, v1.20.8, v1.19.7\n\n### Workarounds\nAt the time of writing, no workaround exists other than ensuring only trusted images are used.\n\n### References\nhttps://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the CRI-O repo](http://github.com/cri-o/cri-o/issues)\n* To make a report, email your vulnerability to the private\n[cncf-crio-security@lists.cncf.io](mailto:cncf-crio-security@lists.cncf.io) list\nwith the security details and the details expected for [all CRI-O bug\nreports](https://github.com/cri-o/cri-o/blob/main/.github/ISSUE_TEMPLATE/bug-report.yml).\n\n### Credits\nDisclosed by Ada Logics in a security audit sponsored by CNCF and facilitated by OSTIF.\n",
"id": "GHSA-fcm2-6c3h-pg6j",
"modified": "2023-07-24T19:33:40Z",
"published": "2022-06-06T21:50:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1708"
},
{
"type": "WEB",
"url": "https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085361"
},
{
"type": "PACKAGE",
"url": "https://github.com/cri-o/cri-o"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Node DOS by way of memory exhaustion through ExecSync request in CRI-O"
}
GSD-2022-1708
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-1708",
"description": "A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.",
"id": "GSD-2022-1708",
"references": [
"https://access.redhat.com/errata/RHSA-2022:4943",
"https://access.redhat.com/errata/RHSA-2022:4947",
"https://access.redhat.com/errata/RHSA-2022:4951",
"https://access.redhat.com/errata/RHSA-2022:4965",
"https://access.redhat.com/errata/RHSA-2022:4972",
"https://access.redhat.com/errata/RHSA-2022:4999",
"https://www.suse.com/security/cve/CVE-2022-1708.html",
"https://access.redhat.com/errata/RHSA-2022:7457",
"https://access.redhat.com/errata/RHSA-2022:7469",
"https://access.redhat.com/errata/RHSA-2022:7529"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-1708"
],
"details": "A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.",
"id": "GSD-2022-1708",
"modified": "2023-12-13T01:19:27.771511Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-1708",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CRI-O",
"version": {
"version_data": [
{
"version_value": "Affects cri-o \u003c= 1.24.0, 1.23.2, 1.22.4, Fixed-in 1.24.1, 1.23.3, 1.22.5"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 - Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2085361",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085361"
},
{
"name": "https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j",
"refsource": "MISC",
"url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j"
},
{
"name": "https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544",
"refsource": "MISC",
"url": "https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.22.5||\u003e=1.23.0 \u003c1.23.3||=1.24.0",
"affected_versions": "All versions before 1.22.5, all versions starting from 1.23.0 before 1.23.3, version 1.24.0",
"cwe_ids": [
"CWE-1035",
"CWE-78",
"CWE-937"
],
"date": "2022-06-06",
"description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) in github.com/cri-o/cri-o.",
"fixed_versions": [
"1.22.5",
"1.23.3",
"1.24.1"
],
"identifier": "GMS-2022-1840",
"identifiers": [
"GHSA-fcm2-6c3h-pg6j",
"GMS-2022-1840",
"CVE-2022-1708"
],
"not_impacted": "",
"package_slug": "go/github.com/cri-o/cri-o",
"pubdate": "2022-06-06",
"solution": "Upgrade to versions 1.24.1, 1.23.3, 1.22.5 or above.",
"title": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"urls": [
"https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j",
"https://github.com/advisories/GHSA-fcm2-6c3h-pg6j"
],
"uuid": "d14f2000-3979-4427-ba7d-89360c016e27"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.23.3",
"versionStartIncluding": "1.23.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.22.5",
"versionStartIncluding": "1.22.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.21.8",
"versionStartIncluding": "1.21.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.20.8",
"versionStartIncluding": "1.20.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:kubernetes:cri-o:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.19.7",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:kubernetes:cri-o:1.24.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:4.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-1708"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544",
"refsource": "MISC",
"tags": [
"Patch"
],
"url": "https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2085361",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085361"
},
{
"name": "https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-07-24T13:31Z",
"publishedDate": "2022-06-07T18:15Z"
}
}
}
MSRC_CVE-2022-1708
Vulnerability from csaf_microsoft - Published: 2022-06-02 00:00 - Updated: 2026-02-18 01:49Summary
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
7.5 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 19490-17086 | — | ||
| Unresolved product id: 19777-17086 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2022/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2022/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2022-1708 A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-1708.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.",
"tracking": {
"current_release_date": "2026-02-18T01:49:34.000Z",
"generator": {
"date": "2026-02-18T14:15:44.134Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2022-1708",
"initial_release_date": "2022-06-02T00:00:00.000Z",
"revision_history": [
{
"date": "2024-04-01T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2026-02-18T01:49:34.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Information published."
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 cri-o 1.21.7-1",
"product": {
"name": "\u003ccbl2 cri-o 1.21.7-1",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "cbl2 cri-o 1.21.7-1",
"product": {
"name": "cbl2 cri-o 1.21.7-1",
"product_id": "19490"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 cri-o 1.22.3-14",
"product": {
"name": "\u003ccbl2 cri-o 1.22.3-14",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "cbl2 cri-o 1.22.3-14",
"product": {
"name": "cbl2 cri-o 1.22.3-14",
"product_id": "19777"
}
}
],
"category": "product_name",
"name": "cri-o"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 cri-o 1.21.7-1 as a component of CBL Mariner 2.0",
"product_id": "17086-2"
},
"product_reference": "2",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 cri-o 1.21.7-1 as a component of CBL Mariner 2.0",
"product_id": "19490-17086"
},
"product_reference": "19490",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 cri-o 1.22.3-14 as a component of CBL Mariner 2.0",
"product_id": "17086-1"
},
"product_reference": "1",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 cri-o 1.22.3-14 as a component of CBL Mariner 2.0",
"product_id": "19777-17086"
},
"product_reference": "19777",
"relates_to_product_reference": "17086"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-1708",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "general",
"text": "redhat",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"19490-17086",
"19777-17086"
],
"known_affected": [
"17086-2",
"17086-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2022-1708 A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-1708.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2024-04-01T00:00:00.000Z",
"details": "1.21.7-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-2",
"17086-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalsScore": 0.0,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"17086-2",
"17086-1"
]
}
],
"title": "A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability."
}
]
}
OPENSUSE-SU-2024:12162-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
conmon-2.1.2-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: conmon-2.1.2-1.1 on GA media
Description of the patch: These are all security issues fixed in the conmon-2.1.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12162
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:conmon-2.1.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:conmon-2.1.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:conmon-2.1.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:conmon-2.1.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "conmon-2.1.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the conmon-2.1.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12162",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12162-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-1708 page",
"url": "https://www.suse.com/security/cve/CVE-2022-1708/"
}
],
"title": "conmon-2.1.2-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12162-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "conmon-2.1.2-1.1.aarch64",
"product": {
"name": "conmon-2.1.2-1.1.aarch64",
"product_id": "conmon-2.1.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "conmon-2.1.2-1.1.ppc64le",
"product": {
"name": "conmon-2.1.2-1.1.ppc64le",
"product_id": "conmon-2.1.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "conmon-2.1.2-1.1.s390x",
"product": {
"name": "conmon-2.1.2-1.1.s390x",
"product_id": "conmon-2.1.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "conmon-2.1.2-1.1.x86_64",
"product": {
"name": "conmon-2.1.2-1.1.x86_64",
"product_id": "conmon-2.1.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-2.1.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:conmon-2.1.2-1.1.aarch64"
},
"product_reference": "conmon-2.1.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-2.1.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:conmon-2.1.2-1.1.ppc64le"
},
"product_reference": "conmon-2.1.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-2.1.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:conmon-2.1.2-1.1.s390x"
},
"product_reference": "conmon-2.1.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-2.1.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:conmon-2.1.2-1.1.x86_64"
},
"product_reference": "conmon-2.1.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-1708",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-1708"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:conmon-2.1.2-1.1.aarch64",
"openSUSE Tumbleweed:conmon-2.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:conmon-2.1.2-1.1.s390x",
"openSUSE Tumbleweed:conmon-2.1.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-1708",
"url": "https://www.suse.com/security/cve/CVE-2022-1708"
},
{
"category": "external",
"summary": "SUSE Bug 1200285 for CVE-2022-1708",
"url": "https://bugzilla.suse.com/1200285"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:conmon-2.1.2-1.1.aarch64",
"openSUSE Tumbleweed:conmon-2.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:conmon-2.1.2-1.1.s390x",
"openSUSE Tumbleweed:conmon-2.1.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:conmon-2.1.2-1.1.aarch64",
"openSUSE Tumbleweed:conmon-2.1.2-1.1.ppc64le",
"openSUSE Tumbleweed:conmon-2.1.2-1.1.s390x",
"openSUSE Tumbleweed:conmon-2.1.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-1708"
}
]
}
OPENSUSE-SU-2024:12206-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
cri-o-1.24.1-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: cri-o-1.24.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the cri-o-1.24.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12206
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.8 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cri-o-1.24.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cri-o-1.24.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cri-o-1.24.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cri-o-1.24.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "cri-o-1.24.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the cri-o-1.24.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12206",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12206-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-1708 page",
"url": "https://www.suse.com/security/cve/CVE-2022-1708/"
}
],
"title": "cri-o-1.24.1-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12206-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cri-o-1.24.1-1.1.aarch64",
"product": {
"name": "cri-o-1.24.1-1.1.aarch64",
"product_id": "cri-o-1.24.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "cri-o-kubeadm-criconfig-1.24.1-1.1.aarch64",
"product": {
"name": "cri-o-kubeadm-criconfig-1.24.1-1.1.aarch64",
"product_id": "cri-o-kubeadm-criconfig-1.24.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-1.24.1-1.1.ppc64le",
"product": {
"name": "cri-o-1.24.1-1.1.ppc64le",
"product_id": "cri-o-1.24.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "cri-o-kubeadm-criconfig-1.24.1-1.1.ppc64le",
"product": {
"name": "cri-o-kubeadm-criconfig-1.24.1-1.1.ppc64le",
"product_id": "cri-o-kubeadm-criconfig-1.24.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-1.24.1-1.1.s390x",
"product": {
"name": "cri-o-1.24.1-1.1.s390x",
"product_id": "cri-o-1.24.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "cri-o-kubeadm-criconfig-1.24.1-1.1.s390x",
"product": {
"name": "cri-o-kubeadm-criconfig-1.24.1-1.1.s390x",
"product_id": "cri-o-kubeadm-criconfig-1.24.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-1.24.1-1.1.x86_64",
"product": {
"name": "cri-o-1.24.1-1.1.x86_64",
"product_id": "cri-o-1.24.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "cri-o-kubeadm-criconfig-1.24.1-1.1.x86_64",
"product": {
"name": "cri-o-kubeadm-criconfig-1.24.1-1.1.x86_64",
"product_id": "cri-o-kubeadm-criconfig-1.24.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-1.24.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cri-o-1.24.1-1.1.aarch64"
},
"product_reference": "cri-o-1.24.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-1.24.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cri-o-1.24.1-1.1.ppc64le"
},
"product_reference": "cri-o-1.24.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-1.24.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cri-o-1.24.1-1.1.s390x"
},
"product_reference": "cri-o-1.24.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-1.24.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cri-o-1.24.1-1.1.x86_64"
},
"product_reference": "cri-o-1.24.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-kubeadm-criconfig-1.24.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.aarch64"
},
"product_reference": "cri-o-kubeadm-criconfig-1.24.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-kubeadm-criconfig-1.24.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.ppc64le"
},
"product_reference": "cri-o-kubeadm-criconfig-1.24.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-kubeadm-criconfig-1.24.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.s390x"
},
"product_reference": "cri-o-kubeadm-criconfig-1.24.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-kubeadm-criconfig-1.24.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.x86_64"
},
"product_reference": "cri-o-kubeadm-criconfig-1.24.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-1708",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-1708"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cri-o-1.24.1-1.1.aarch64",
"openSUSE Tumbleweed:cri-o-1.24.1-1.1.ppc64le",
"openSUSE Tumbleweed:cri-o-1.24.1-1.1.s390x",
"openSUSE Tumbleweed:cri-o-1.24.1-1.1.x86_64",
"openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.aarch64",
"openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.ppc64le",
"openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.s390x",
"openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-1708",
"url": "https://www.suse.com/security/cve/CVE-2022-1708"
},
{
"category": "external",
"summary": "SUSE Bug 1200285 for CVE-2022-1708",
"url": "https://bugzilla.suse.com/1200285"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cri-o-1.24.1-1.1.aarch64",
"openSUSE Tumbleweed:cri-o-1.24.1-1.1.ppc64le",
"openSUSE Tumbleweed:cri-o-1.24.1-1.1.s390x",
"openSUSE Tumbleweed:cri-o-1.24.1-1.1.x86_64",
"openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.aarch64",
"openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.ppc64le",
"openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.s390x",
"openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cri-o-1.24.1-1.1.aarch64",
"openSUSE Tumbleweed:cri-o-1.24.1-1.1.ppc64le",
"openSUSE Tumbleweed:cri-o-1.24.1-1.1.s390x",
"openSUSE Tumbleweed:cri-o-1.24.1-1.1.x86_64",
"openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.aarch64",
"openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.ppc64le",
"openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.s390x",
"openSUSE Tumbleweed:cri-o-kubeadm-criconfig-1.24.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-1708"
}
]
}
RHSA-2022:4943
Vulnerability from csaf_redhat - Published: 2022-06-13 14:40 - Updated: 2026-04-28 06:27Summary
Red Hat Security Advisory: OpenShift Container Platform 4.10.18 packages and security update
Severity
Moderate
Notes
Topic: Red Hat OpenShift Container Platform release 4.10.18 is now available with
updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.10.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.18. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHBA-2022:4944
Security Fix(es):
* cri-o: memory exhaustion on the node when access to the kube api
(CVE-2022-1708)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.
All OpenShift Container Platform 4.10 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.
6.8 (Medium)
Affected products
Fixed
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64 | — |
Vendor Fix
fix
|
Known not affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.10:openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.10:openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.src | — | ||
| Unresolved product id: 8Base-RHOSE-4.10:python3-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch | — |
Threats
Impact
Moderate
References
9 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2022:4943 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2085361 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2022-1708 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2085361 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-1708 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-1708 | external |
| https://github.com/cri-o/cri-o/security/advisorie… | external |
Acknowledgments
Disclosed by Ada Logics in a security audit sponsored by CNCF and facilitated by OSTIF
Adam Korcz and David Korczynski
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 4.10.18 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.10.\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.18. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHBA-2022:4944\n\nSecurity Fix(es):\n\n* cri-o: memory exhaustion on the node when access to the kube api\n(CVE-2022-1708)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.\n\nAll OpenShift Container Platform 4.10 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:4943",
"url": "https://access.redhat.com/errata/RHSA-2022:4943"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2085361",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085361"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_4943.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.10.18 packages and security update",
"tracking": {
"current_release_date": "2026-04-28T06:27:11+00:00",
"generator": {
"date": "2026-04-28T06:27:11+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.5"
}
},
"id": "RHSA-2022:4943",
"initial_release_date": "2022-06-13T14:40:32+00:00",
"revision_history": [
{
"date": "2022-06-13T14:40:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-06-13T14:40:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-28T06:27:11+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.10",
"product": {
"name": "Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.10::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.src",
"product": {
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.src",
"product_id": "conmon-2:2.0.29-3.rhaos4.10.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conmon@2.0.29-3.rhaos4.10.el8?arch=src\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.src",
"product": {
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.src",
"product_id": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.3-3.rhaos4.10.git5fe1720.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.src",
"product": {
"name": "openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.src",
"product_id": "openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-python-agent@8.3.1-0.20220606104811.3c9b113.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.x86_64",
"product": {
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.x86_64",
"product_id": "conmon-2:2.0.29-3.rhaos4.10.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conmon@2.0.29-3.rhaos4.10.el8?arch=x86_64\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.x86_64",
"product": {
"name": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.x86_64",
"product_id": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conmon-debugsource@2.0.29-3.rhaos4.10.el8?arch=x86_64\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.x86_64",
"product": {
"name": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.x86_64",
"product_id": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conmon-debuginfo@2.0.29-3.rhaos4.10.el8?arch=x86_64\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"product": {
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"product_id": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.3-3.rhaos4.10.git5fe1720.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"product": {
"name": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"product_id": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.3-3.rhaos4.10.git5fe1720.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"product": {
"name": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"product_id": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.3-3.rhaos4.10.git5fe1720.el8?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.aarch64",
"product": {
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.aarch64",
"product_id": "conmon-2:2.0.29-3.rhaos4.10.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conmon@2.0.29-3.rhaos4.10.el8?arch=aarch64\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.aarch64",
"product": {
"name": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.aarch64",
"product_id": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conmon-debugsource@2.0.29-3.rhaos4.10.el8?arch=aarch64\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.aarch64",
"product": {
"name": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.aarch64",
"product_id": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conmon-debuginfo@2.0.29-3.rhaos4.10.el8?arch=aarch64\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"product": {
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"product_id": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.3-3.rhaos4.10.git5fe1720.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"product": {
"name": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"product_id": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.3-3.rhaos4.10.git5fe1720.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"product": {
"name": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"product_id": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.3-3.rhaos4.10.git5fe1720.el8?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"product": {
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"product_id": "conmon-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conmon@2.0.29-3.rhaos4.10.el8?arch=ppc64le\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"product": {
"name": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"product_id": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conmon-debugsource@2.0.29-3.rhaos4.10.el8?arch=ppc64le\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"product": {
"name": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"product_id": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conmon-debuginfo@2.0.29-3.rhaos4.10.el8?arch=ppc64le\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"product": {
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"product_id": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.3-3.rhaos4.10.git5fe1720.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"product": {
"name": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"product_id": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.3-3.rhaos4.10.git5fe1720.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"product": {
"name": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"product_id": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.3-3.rhaos4.10.git5fe1720.el8?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.s390x",
"product": {
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.s390x",
"product_id": "conmon-2:2.0.29-3.rhaos4.10.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conmon@2.0.29-3.rhaos4.10.el8?arch=s390x\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.s390x",
"product": {
"name": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.s390x",
"product_id": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conmon-debugsource@2.0.29-3.rhaos4.10.el8?arch=s390x\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.s390x",
"product": {
"name": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.s390x",
"product_id": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conmon-debuginfo@2.0.29-3.rhaos4.10.el8?arch=s390x\u0026epoch=2"
}
}
},
{
"category": "product_version",
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"product": {
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"product_id": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.3-3.rhaos4.10.git5fe1720.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"product": {
"name": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"product_id": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.3-3.rhaos4.10.git5fe1720.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"product": {
"name": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"product_id": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.3-3.rhaos4.10.git5fe1720.el8?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch",
"product": {
"name": "openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch",
"product_id": "openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-ironic-python-agent@8.3.1-0.20220606104811.3c9b113.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python3-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch",
"product": {
"name": "python3-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch",
"product_id": "python3-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-ironic-python-agent@8.3.1-0.20220606104811.3c9b113.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.aarch64"
},
"product_reference": "conmon-2:2.0.29-3.rhaos4.10.el8.aarch64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.ppc64le"
},
"product_reference": "conmon-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.s390x"
},
"product_reference": "conmon-2:2.0.29-3.rhaos4.10.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.src as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.src"
},
"product_reference": "conmon-2:2.0.29-3.rhaos4.10.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-2:2.0.29-3.rhaos4.10.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.x86_64"
},
"product_reference": "conmon-2:2.0.29-3.rhaos4.10.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.aarch64"
},
"product_reference": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.aarch64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.ppc64le"
},
"product_reference": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.s390x"
},
"product_reference": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.x86_64"
},
"product_reference": "conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.aarch64"
},
"product_reference": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.aarch64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.ppc64le"
},
"product_reference": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.s390x"
},
"product_reference": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.x86_64"
},
"product_reference": "conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64"
},
"product_reference": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le"
},
"product_reference": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x"
},
"product_reference": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.src as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.src"
},
"product_reference": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64"
},
"product_reference": "cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64"
},
"product_reference": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le"
},
"product_reference": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x"
},
"product_reference": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64"
},
"product_reference": "cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64"
},
"product_reference": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le"
},
"product_reference": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x"
},
"product_reference": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64"
},
"product_reference": "cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch"
},
"product_reference": "openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.src as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.src"
},
"product_reference": "openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:python3-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch"
},
"product_reference": "python3-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.10"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Adam Korcz and David Korczynski"
],
"organization": "Disclosed by Ada Logics in a security audit sponsored by CNCF and facilitated by OSTIF"
}
],
"cve": "CVE-2022-1708",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-05-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.10:openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch",
"8Base-RHOSE-4.10:openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.src",
"8Base-RHOSE-4.10:python3-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2085361"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cri-o: memory exhaustion on the node when access to the kube api",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability exists in reading of the output file from the ExecSync command, by the CRI-O in the Kubernetes,if the file were to be too large, then this would lead to resource exhaustion,the attack is purely theoretical in nature and would only lead to a denial of service,moreover the attacker would require code execution to exploit this making this a moderate vulnerability at best.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.aarch64",
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.s390x",
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.src",
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.x86_64",
"8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.aarch64",
"8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.s390x",
"8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.x86_64",
"8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.aarch64",
"8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.s390x",
"8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64"
],
"known_not_affected": [
"8Base-RHOSE-4.10:openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch",
"8Base-RHOSE-4.10:openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.src",
"8Base-RHOSE-4.10:python3-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1708"
},
{
"category": "external",
"summary": "RHBZ#2085361",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2085361"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1708",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1708"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1708",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1708"
},
{
"category": "external",
"summary": "https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j",
"url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j"
}
],
"release_date": "2022-06-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-13T14:40:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation,\nwhich will be updated shortly for this release, for important instructions\non how to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.aarch64",
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.s390x",
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.src",
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.x86_64",
"8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.aarch64",
"8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.s390x",
"8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.x86_64",
"8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.aarch64",
"8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.s390x",
"8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4943"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.aarch64",
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.s390x",
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.src",
"8Base-RHOSE-4.10:conmon-2:2.0.29-3.rhaos4.10.el8.x86_64",
"8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.aarch64",
"8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.s390x",
"8Base-RHOSE-4.10:conmon-debuginfo-2:2.0.29-3.rhaos4.10.el8.x86_64",
"8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.aarch64",
"8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.ppc64le",
"8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.s390x",
"8Base-RHOSE-4.10:conmon-debugsource-2:2.0.29-3.rhaos4.10.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.3-3.rhaos4.10.git5fe1720.el8.x86_64",
"8Base-RHOSE-4.10:openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch",
"8Base-RHOSE-4.10:openstack-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.src",
"8Base-RHOSE-4.10:python3-ironic-python-agent-0:8.3.1-0.20220606104811.3c9b113.el8.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cri-o: memory exhaustion on the node when access to the kube api"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…