CVE-2022-36049
Flux2 Helm Controller denial of service
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.
Flux2 es una herramienta para mantener los clusters de Kubernetes sincronizados con las fuentes de configuración, y el controlador Helm de Flux es un operador de Kubernetes que permite administrar de forma declarativa los lanzamientos de gráficos de Helm. Helm-controller está estrechamente integrado con el SDK de Helm. Una vulnerabilidad encontrada en el SDK de Helm que afecta a flux2 versiones v0.0.17 hasta v0.32.0 y a helm-controller versiones v0.0.4 hasta v0.23.0, permite que determinadas entradas de datos causen un alto consumo de memoria. En algunas plataformas, esto podría causar que el controlador entre en pánico y deje de procesar las conciliaciones. En un entorno de clústeres compartidos con múltiples inquilinos, un inquilino podría crear un HelmRelease que hace que el controlador entre en pánico, denegando a todos los demás inquilinos la reconciliación de sus HelmRelease. Los parches están disponibles en flux2 versión v0.32.0 y helm-controller versión v0.23.0
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-07-15 CVE Reserved
- 2022-09-07 CVE Published
- 2024-08-03 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44996 | Mailing List | |
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48360 | Mailing List | |
| https://github.com/fluxcd/flux2/security/advisories/GHSA-p2g7-xwvr-rrw3 | Third Party Advisory | |
| https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Helm Search vendor "Helm" | Helm Search vendor "Helm" for product "Helm" | >= 3.0.0 < 3.9.4 Search vendor "Helm" for product "Helm" and version " >= 3.0.0 < 3.9.4" | - |
Affected
| ||||||
| Fluxcd Search vendor "Fluxcd" | Flux2 Search vendor "Fluxcd" for product "Flux2" | >= 0.0.17 < 0.32.0 Search vendor "Fluxcd" for product "Flux2" and version " >= 0.0.17 < 0.32.0" | - |
Affected
| ||||||
| Fluxcd Search vendor "Fluxcd" | Helm-controller Search vendor "Fluxcd" for product "Helm-controller" | >= 0.0.4 < 0.23.0 Search vendor "Fluxcd" for product "Helm-controller" and version " >= 0.0.4 < 0.23.0" | - |
Affected
| ||||||