CVE-2022-31073 — MEDIUM (6.5)

Q: How severe is CVE-2022-31073?

CVE-2022-31073 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-31073?

Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Kubeedge.

Vulnerability Description

KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the ServiceBus server on the edge side may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it. It is possible for the node to be exhausted of memory. The consequence of the exhaustion is that other services on the node, e.g. other containers, will be unable to allocate memory and thus causing a denial of service. Malicious apps accidentally pulled by users on the host and have the access to send HTTP requests to localhost may make an attack. It will be affected only when users enable the `ServiceBus` module in the config file `edgecore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable the `ServiceBus` module in the config file `edgecore.yaml`.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Linuxfoundation	Kubeedge	< 1.9.4

Related Weaknesses (CWE)

CWE-400

References

https://github.com/kubeedge/kubeedge/pull/4038Issue TrackingPatchThird Party Advisory
https://github.com/kubeedge/kubeedge/pull/4039Issue TrackingPatchThird Party Advisory
https://github.com/kubeedge/kubeedge/pull/4042Issue TrackingPatchThird Party Advisory
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-vwm6-qc77-v2rhExploitThird Party Advisory
https://github.com/kubeedge/kubeedge/pull/4038Issue TrackingPatchThird Party Advisory
https://github.com/kubeedge/kubeedge/pull/4039Issue TrackingPatchThird Party Advisory
https://github.com/kubeedge/kubeedge/pull/4042Issue TrackingPatchThird Party Advisory
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-vwm6-qc77-v2rhExploitThird Party Advisory

FAQ

What is CVE-2022-31073?

CVE-2022-31073 is a vulnerability with a CVSS score of 6.5 (MEDIUM). KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, the ServiceBus server on the ...

How severe is CVE-2022-31073?

CVE-2022-31073 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-31073?

Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Kubeedge.