Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
containerd CRI stream server: Host memory exhaustion through terminal resize goroutine leak
Vulnerability Description
containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Vulnerability Title
containerd 资源管理错误漏洞
Vulnerability Description
Apache containerd是美国阿帕奇(Apache)基金会的一个容器守护进程。该进程根据 RunC OCI 规范负责控制宿主机上容器的完整周期。 containerd 1.6.12之前版本、1.5.16之前版本中存在资源管理错误漏洞,该漏洞源于在 containerd 的 CRI 实现中发现了一个错误,攻击者利用该漏洞可以耗尽主机上的内存。
CVSS Information
N/A
Vulnerability Type
N/A