CVE-2022-31074: CWE-400: Uncontrolled Resource Consumption in kubeedge kubeedge
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, several endpoints in the Cloud AdmissionController may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it. The consequence of the exhaustion is that the Cloud AdmissionController will be in denial of service. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. There is currently no known workaround.
AI Analysis
Technical Summary
CVE-2022-31074 is a vulnerability classified under CWE-400, indicating uncontrolled resource consumption, affecting the KubeEdge platform. KubeEdge is an open-source system designed to extend containerized application orchestration capabilities, such as those provided by Kubernetes, to edge computing environments. The vulnerability specifically impacts the Cloud AdmissionController component of KubeEdge in versions prior to 1.11.1, 1.10.2, and 1.9.4. The issue arises when the AdmissionController processes HTTP requests containing excessively large bodies. Such requests can cause the component to consume excessive resources, leading to exhaustion of system resources such as memory or CPU. This resource exhaustion results in a denial of service (DoS) condition, rendering the Cloud AdmissionController unavailable and potentially disrupting the orchestration and management of edge nodes and workloads. The vulnerability does not require authentication or user interaction to be exploited, as it can be triggered by sending a crafted HTTP request directly to the vulnerable endpoints. Although no known exploits have been reported in the wild, the flaw poses a risk to environments relying on vulnerable KubeEdge versions. The issue has been addressed in KubeEdge versions 1.11.1, 1.10.2, and 1.9.4, but no workaround is currently available for unpatched versions.
Potential Impact
For European organizations utilizing KubeEdge to manage edge computing infrastructure, this vulnerability can lead to significant operational disruptions. The denial of service on the Cloud AdmissionController can halt the deployment and management of containerized applications at the edge, affecting services that depend on real-time data processing and low-latency operations. This is particularly critical for industries such as manufacturing, telecommunications, smart cities, and critical infrastructure, where edge computing is integral. The disruption could lead to degraded service availability, delayed data processing, and potential cascading failures in distributed systems. Moreover, the inability to manage edge nodes effectively could increase the attack surface for further exploitation. While the vulnerability does not directly compromise data confidentiality or integrity, the availability impact alone can have severe business and operational consequences. Given the growing adoption of edge computing in Europe, especially in countries investing heavily in Industry 4.0 and 5G infrastructure, the threat is material and warrants prompt attention.
Mitigation Recommendations
European organizations should prioritize upgrading KubeEdge deployments to versions 1.11.1, 1.10.2, or 1.9.4 or later, where the vulnerability is patched. Since no workaround exists, patching is the primary mitigation strategy. Additionally, organizations should implement network-level protections such as rate limiting and request size restrictions on the AdmissionController endpoints to prevent excessively large HTTP requests from reaching the service. Deploying Web Application Firewalls (WAFs) or API gateways with payload inspection can help detect and block anomalous request patterns indicative of resource exhaustion attempts. Monitoring resource utilization metrics and setting alerts for unusual spikes in CPU or memory usage on the AdmissionController can enable early detection of exploitation attempts. Segmentation of edge management networks and restricting access to AdmissionController endpoints to trusted sources can reduce exposure. Finally, organizations should incorporate this vulnerability into their incident response plans and conduct regular security assessments of their edge computing environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland, Poland, Belgium
CVE-2022-31074: CWE-400: Uncontrolled Resource Consumption in kubeedge kubeedge
Description
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, several endpoints in the Cloud AdmissionController may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it. The consequence of the exhaustion is that the Cloud AdmissionController will be in denial of service. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. There is currently no known workaround.
AI-Powered Analysis
Technical Analysis
CVE-2022-31074 is a vulnerability classified under CWE-400, indicating uncontrolled resource consumption, affecting the KubeEdge platform. KubeEdge is an open-source system designed to extend containerized application orchestration capabilities, such as those provided by Kubernetes, to edge computing environments. The vulnerability specifically impacts the Cloud AdmissionController component of KubeEdge in versions prior to 1.11.1, 1.10.2, and 1.9.4. The issue arises when the AdmissionController processes HTTP requests containing excessively large bodies. Such requests can cause the component to consume excessive resources, leading to exhaustion of system resources such as memory or CPU. This resource exhaustion results in a denial of service (DoS) condition, rendering the Cloud AdmissionController unavailable and potentially disrupting the orchestration and management of edge nodes and workloads. The vulnerability does not require authentication or user interaction to be exploited, as it can be triggered by sending a crafted HTTP request directly to the vulnerable endpoints. Although no known exploits have been reported in the wild, the flaw poses a risk to environments relying on vulnerable KubeEdge versions. The issue has been addressed in KubeEdge versions 1.11.1, 1.10.2, and 1.9.4, but no workaround is currently available for unpatched versions.
Potential Impact
For European organizations utilizing KubeEdge to manage edge computing infrastructure, this vulnerability can lead to significant operational disruptions. The denial of service on the Cloud AdmissionController can halt the deployment and management of containerized applications at the edge, affecting services that depend on real-time data processing and low-latency operations. This is particularly critical for industries such as manufacturing, telecommunications, smart cities, and critical infrastructure, where edge computing is integral. The disruption could lead to degraded service availability, delayed data processing, and potential cascading failures in distributed systems. Moreover, the inability to manage edge nodes effectively could increase the attack surface for further exploitation. While the vulnerability does not directly compromise data confidentiality or integrity, the availability impact alone can have severe business and operational consequences. Given the growing adoption of edge computing in Europe, especially in countries investing heavily in Industry 4.0 and 5G infrastructure, the threat is material and warrants prompt attention.
Mitigation Recommendations
European organizations should prioritize upgrading KubeEdge deployments to versions 1.11.1, 1.10.2, or 1.9.4 or later, where the vulnerability is patched. Since no workaround exists, patching is the primary mitigation strategy. Additionally, organizations should implement network-level protections such as rate limiting and request size restrictions on the AdmissionController endpoints to prevent excessively large HTTP requests from reaching the service. Deploying Web Application Firewalls (WAFs) or API gateways with payload inspection can help detect and block anomalous request patterns indicative of resource exhaustion attempts. Monitoring resource utilization metrics and setting alerts for unusual spikes in CPU or memory usage on the AdmissionController can enable early detection of exploitation attempts. Segmentation of edge management networks and restricting access to AdmissionController endpoints to trusted sources can reduce exposure. Finally, organizations should incorporate this vulnerability into their incident response plans and conduct regular security assessments of their edge computing environments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-05-18T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9844c4522896dcbf3601
Added to database: 5/21/2025, 9:09:24 AM
Last enriched: 6/23/2025, 3:51:11 AM
Last updated: 8/14/2025, 6:15:15 PM
Views: 16
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.