CVE-2022-31077: 
vulnerability analysis and mitigation

KubeEdge, a platform built upon Kubernetes that extends native containerized application orchestration and device management to Edge hosts, was found to contain a vulnerability where a malicious message response could crash the CSI Driver controller server. The vulnerability (CVE-2022-31077) was discovered in June 2022 and affected versions <=1.10.0, 1.9.2, and 1.8.2. The issue was patched in versions 1.11.0, 1.10.1, and 1.9.3 (GitHub Advisory).

The vulnerability involves a nil-pointer dereference panic that can be triggered by a malicious message response from KubeEdge. The issue was discovered through fuzzing KubeEdge via OSS-Fuzz. The vulnerability has a CVSS v3.1 base score of 4.0 (Moderate) with the following vector: CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H. The attack requires adjacent network access, high attack complexity, high privileges, and user interaction (GitHub Advisory).

When exploited, the vulnerability results in a denial of service condition for the CSI Driver controller. The attack only affects availability, with no impact on confidentiality or integrity. The scope is unchanged, meaning the vulnerable component cannot impact resources beyond its security scope (GitHub Advisory).

The vulnerability has been fixed in KubeEdge versions 1.11.0, 1.10.1, and 1.9.3. Users are advised to update to these patched versions to resolve the issue. No workarounds were available at the time of the vulnerability disclosure (GitHub Advisory).

The vulnerability was responsibly disclosed by David Korczynski and Adam Korczynski of ADA Logics during a security audit sponsored by CNCF and facilitated by OSTIF. The issue was discovered through the OSS-Fuzz program, demonstrating the effectiveness of continuous fuzzing in identifying security vulnerabilities (GitHub Advisory).