CVE-2022-31075: 
vulnerability analysis and mitigation

KubeEdge, an open source system for extending native containerized application orchestration capabilities to hosts at Edge, was found to contain a Denial of Service (DoS) vulnerability (CVE-2022-31075) discovered in July 2022. The vulnerability affects versions <=1.11.0, 1.10.1, and 1.9.3 of KubeEdge, specifically in the CloudHub module when enabled in the cloudcore.yaml configuration (GitHub Advisory).

The vulnerability exists in the CloudHub HTTP service when processing requests to the /edge.crt endpoint. When an attacker sends a well-crafted HTTP request with a very large body to CloudHub, it can cause memory exhaustion as the request body is read entirely into memory. The vulnerability has a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

If successfully exploited, the vulnerability can lead to a Denial of Service condition affecting the CloudHub service. The attack can cause the HTTP service to crash through memory exhaustion, making CloudHub unavailable. However, the attack requires authentication, limiting the potential attackers to authorized users (GitHub Advisory).

The vulnerability has been patched in KubeEdge versions 1.11.1, 1.10.2, and 1.9.4. Users are advised to upgrade to these patched versions. As a temporary workaround, users can disable the CloudHub module in the config file cloudcore.yaml if immediate patching is not possible (GitHub Advisory).