5.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23471

GHSA ID

GHSA-2qjp-425j-52j9

EPSS Score

0.42264%

CWE

CWE-400

Published

12/7/2022

Updated

1/31/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23471

CVE-2022-23471: containerd CRI stream server vulnerable to host memory exhaustion via terminal

Impact

A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO.

Patches

This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.

For more information

If you have any questions or comments about this advisory:

Open an issue in containerd
Email us at security@containerd.io

To report a security issue in containerd:

Report a new vulnerability
Email us at security@containerd.io

(GitHub Advisory)

5.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23471

GHSA ID

GHSA-2qjp-425j-52j9

EPSS Score

0.42264%

CWE

CWE-400

Published

12/7/2022

Updated

1/31/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/containerd/containerd	go	< 1.5.16	1.5.16
github.com/containerd/containerd	go	>= 1.6.0, < 1.6.12	1.6.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key functions: 1) handleResizeEvents lacked context-aware termination, leaving orphaned goroutines when container processes failed to start. 2) createStreams started these goroutines without proper context propagation. The patch adds context handling in both locations - passing req.Context() to handleResizeEvents in createStreams, and implementing context cancellation checks in handleResizeEvents' select statement. The commit diff and CVE description directly correlate to these code paths managing terminal resize event handling and goroutine lifecycle.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * *u* w*s *oun* in *ont*in*r*'s *RI impl*m*nt*tion w**r* * us*r **n *x**ust m*mory on t** *ost. In t** *RI str**m s*rv*r, * *oroutin* is l*un**** to **n*l* t*rmin*l r*siz* *v*nts i* * TTY is r*qu*st**. I* t** us*r's pro**ss **ils to l*un*

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *) `**n*l*R*siz**v*nts` l**k** *ont*xt-*w*r* t*rmin*tion, l**vin* orp**n** *oroutin*s w**n *ont*in*r pro**ss*s **il** to st*rt. *) `*r**t*Str**ms` st*rt** t**s* *oroutin*s wit*out prop*r *ont*xt prop***

5.7

Basic Information

Concerned about an active attack path?

CVE-2022-23471: containerd CRI stream server vulnerable to host memory exhaustion via terminal

Impact

Patches

Workarounds

For more information

5.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI