CVE-2022-31073

KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the ServiceBus server on the edge side may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it. It is possible for the node to be exhausted of memory. The consequence of the exhaustion is that other services on the node, e.g. other containers, will be unable to allocate memory and thus causing a denial of service. Malicious apps accidentally pulled by users on the host and have the access to send HTTP requests to localhost may make an attack. It will be affected only when users enable the `ServiceBus` module in the config file `edgecore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable the `ServiceBus` module in the config file `edgecore.yaml`.
References
Link Resource
https://github.com/kubeedge/kubeedge/pull/4038 Issue Tracking Patch Third Party Advisory
https://github.com/kubeedge/kubeedge/pull/4039 Issue Tracking Patch Third Party Advisory
https://github.com/kubeedge/kubeedge/pull/4042 Issue Tracking Patch Third Party Advisory
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-vwm6-qc77-v2rh Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:linuxfoundation:kubeedge:*:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:kubeedge:*:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:kubeedge:*:*:*:*:*:*:*:*

History

16 Jul 2022, 13:38

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : 4.3
v3 : 7.5
CPE cpe:2.3:a:linuxfoundation:kubeedge:*:*:*:*:*:*:*:*
First Time Linuxfoundation
Linuxfoundation kubeedge
References (CONFIRM) https://github.com/kubeedge/kubeedge/security/advisories/GHSA-vwm6-qc77-v2rh - (CONFIRM) https://github.com/kubeedge/kubeedge/security/advisories/GHSA-vwm6-qc77-v2rh - Exploit, Third Party Advisory
References (MISC) https://github.com/kubeedge/kubeedge/pull/4038 - (MISC) https://github.com/kubeedge/kubeedge/pull/4038 - Issue Tracking, Patch, Third Party Advisory
References (MISC) https://github.com/kubeedge/kubeedge/pull/4042 - (MISC) https://github.com/kubeedge/kubeedge/pull/4042 - Issue Tracking, Patch, Third Party Advisory
References (MISC) https://github.com/kubeedge/kubeedge/pull/4039 - (MISC) https://github.com/kubeedge/kubeedge/pull/4039 - Issue Tracking, Patch, Third Party Advisory

11 Jul 2022, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-07-11 20:15

Updated : 2023-12-10 14:35


NVD link : CVE-2022-31073

Mitre link : CVE-2022-31073

CVE.ORG link : CVE-2022-31073


JSON object : View

Products Affected

linuxfoundation

  • kubeedge
CWE
CWE-400

Uncontrolled Resource Consumption