CVE-2022-31079

Uncontrolled Resource Consumption in go/github.com/kubeedge/kubeedge

Identifiers

GHSA-wrcr-x4qj-j543, CVE-2022-31079

Package Slug

go/github.com/kubeedge/kubeedge

Vulnerability

Uncontrolled Resource Consumption

Description

KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the Cloud Stream server and the Edge Stream server reads the entire message into memory without imposing a limit on the size of this message. An attacker can exploit this by sending a large message to exhaust memory and cause a DoS. The Cloud Stream server and the Edge Stream server are under DoS attack in this case. The consequence of the exhaustion is that the CloudCore and EdgeCore will be in a denial of service. Only an authenticated user can cause this issue. It will be affected only when users enable cloudStream module in the config file cloudcore.yaml and enable edgeStream module in the config file edgecore.yaml. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable cloudStream module in the config file cloudcore.yaml and disable edgeStream module in the config file edgecore.yaml.

Affected Versions

All versions before 1.9.4, all versions starting from 1.10.0 before 1.10.2, all versions starting from 1.11.0 before 1.11.1

Solution

Upgrade to versions 1.10.2, 1.11.1, 1.9.4 or above.

Last Modified

2022-07-24

source