Headline
GHSA-2qjp-425j-52j9: containerd CRI stream server vulnerable to host memory exhaustion via terminal
Impact
A bug was found in containerd’s CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user’s process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd’s CRI implementation and the stream server is used for handling container IO.
Patches
This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue.
Workarounds
Ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.
For more information
If you have any questions or comments about this advisory:
- Open an issue in containerd
- Email us at [email protected]
To report a security issue in containerd:
- Report a new vulnerability
- Email us at [email protected]
Impact
A bug was found in containerd’s CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user’s process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd’s CRI implementation and the stream server is used for handling container IO.
Patches
This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue.
Workarounds
Ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.
For more information
If you have any questions or comments about this advisory:
- Open an issue in containerd
- Email us at [email protected]
To report a security issue in containerd:
- Report a new vulnerability
- Email us at [email protected]
References
- GHSA-2qjp-425j-52j9
- containerd/containerd@241563b
- https://github.com/containerd/containerd/releases/tag/v1.5.16
- https://github.com/containerd/containerd/releases/tag/v1.6.12
Related news
Gentoo Linux Security Advisory 202401-31 - Multiple vulnerabilities have been found in containerd, the worst of which could result in privilege escalation. Versions greater than or equal to 1.6.14 are affected.
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
Ubuntu Security Notice 5776-1 - It was discovered that containerd incorrectly handled memory when receiving certain faulty Exec or ExecSync commands. A remote attacker could possibly use this issue to cause a denial of service or crash containerd. It was discovered that containerd incorrectly set up inheritable file capabilities. An attacker could possibly use this issue to escalate privileges inside a container. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.