CVE-2022-31030: 
Docker vulnerability analysis and mitigation

A bug was found in containerd's CRI (Container Runtime Interface) implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the ExecSync API. The vulnerability, identified as CVE-2022-31030, was discovered in June 2022 and affects containerd versions ≤ 1.5.12, 1.6.0-1.6.5 (GitHub Advisory).

The vulnerability exists in the ExecSync API implementation where there was no limit on memory consumption during execution. When running probes or executing processes via an 'exec' facility, the containerd daemon could be made to consume memory without bounds. This affects both Kubernetes and crictl configurations that use containerd's CRI implementation (Openwall).

When exploited, this vulnerability can cause containerd to consume all available memory on the computer, resulting in denial of service to other legitimate workloads. This impact is particularly significant in multi-tenant environments where container isolation is crucial (GitHub Advisory, Ubuntu Notice).

The vulnerability has been patched in containerd versions 1.6.6 and 1.5.13. Users are advised to update to these versions to resolve the issue. As a temporary workaround, administrators should ensure that only trusted images and commands are used within containers (GitHub Advisory, Openwall).

The vulnerability was discovered by David Korczynski and Adam Korczynski of ADA Logics during a security audit sponsored by CNCF and facilitated by OSTIF. The containerd project acknowledged their responsible disclosure in accordance with the containerd security policy (GitHub Advisory).