CVE-2022-1708: 
Podman vulnerability analysis and mitigation

CVE-2022-1708 is a vulnerability discovered in CRI-O, affecting versions up to 1.24.0, 1.23.2, and 1.22.4. The vulnerability was disclosed in June 2022 and involves a memory exhaustion issue that can occur when executing commands in containers through the ExecSync functionality. This vulnerability affects systems running CRI-O as their container runtime interface (GitHub Advisory).

The vulnerability exists in CRI-O's ExecSync request functionality, which is used for running commands in containers and returning output to the Kubelet, particularly for readiness and liveness probes within a pod. The issue occurs in the way CRI-O handles command execution through conmon: when conmon writes command output to disk, and CRI-O subsequently reads this output, there is no limit on the size of the output that can be processed. This can lead to excessive memory or disk usage when processing large command outputs (GitHub Advisory).

The vulnerability can result in memory or disk space exhaustion on the node for anyone with access to the Kubernetes API. What makes this particularly concerning is that the memory and disk usage aren't attributed to the container, as the file processing is handled by CRI-O's implementation. This can lead to denial of service conditions where other services on the node, including other containers, become unable to allocate memory (GitHub Advisory).

The vulnerability has been patched in CRI-O versions 1.24.1, 1.23.3, 1.22.5, 1.21.8, 1.20.8, and 1.19.7. Prior to the patch, the only workaround was to ensure that only trusted images were used in the environment. The fix implements a cap on the maximum size of exec sync output that CRI-O will process (GitHub Advisory, Red Hat CVE).