CVE-2022-31073
KubeEdge Edge ServiceBus module DoS
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the ServiceBus server on the edge side may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it. It is possible for the node to be exhausted of memory. The consequence of the exhaustion is that other services on the node, e.g. other containers, will be unable to allocate memory and thus causing a denial of service. Malicious apps accidentally pulled by users on the host and have the access to send HTTP requests to localhost may make an attack. It will be affected only when users enable the `ServiceBus` module in the config file `edgecore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable the `ServiceBus` module in the config file `edgecore.yaml`.
KubeEdge es un sistema de código abierto para extender las capacidades de orquestación de aplicaciones nativas en contenedores a los hosts en Edge. En versiones anteriores a 1.11.1, 1.10.2 y 1.9.4, el servidor ServiceBus en el lado del borde puede ser susceptible de un ataque DoS si le es enviada una petición HTTP que contenga un cuerpo muy grande. Es posible que el nodo quede sin memoria. La consecuencia del agotamiento es que otros servicios en el nodo, por ejemplo, otros contenedores, serán incapaces de asignar memoria, causando así una denegación de servicio. Las aplicaciones maliciosas que accidentalmente sean arrastradas por los usuarios en el host y tengan acceso a enviar peticiones HTTP al localhost pueden realizar un ataque. Sólo está afectado cuando los usuarios habiliten el módulo "ServiceBus" en el archivo de configuración "edgecore.yaml". Este error ha sido corregido en Kubeedge versiones 1.11.1, 1.10.2 y 1.9.4. Como mitigación, deshabilite el módulo "ServiceBus" en el archivo de configuración "edgecore.yaml"
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-18 CVE Reserved
- 2022-07-11 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2024-10-02 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (4)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/kubeedge/kubeedge/security/advisories/GHSA-vwm6-qc77-v2rh | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/kubeedge/kubeedge/pull/4038 | 2022-07-16 | |
| https://github.com/kubeedge/kubeedge/pull/4039 | 2022-07-16 | |
| https://github.com/kubeedge/kubeedge/pull/4042 | 2022-07-16 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linuxfoundation Search vendor "Linuxfoundation" | Kubeedge Search vendor "Linuxfoundation" for product "Kubeedge" | < 1.9.4 Search vendor "Linuxfoundation" for product "Kubeedge" and version " < 1.9.4" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Kubeedge Search vendor "Linuxfoundation" for product "Kubeedge" | >= 1.10.0 < 1.10.2 Search vendor "Linuxfoundation" for product "Kubeedge" and version " >= 1.10.0 < 1.10.2" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Kubeedge Search vendor "Linuxfoundation" for product "Kubeedge" | >= 1.11.0 < 1.11.1 Search vendor "Linuxfoundation" for product "Kubeedge" and version " >= 1.11.0 < 1.11.1" | - |
Affected
| ||||||