CVE-2022-31075: CWE-400: Uncontrolled Resource Consumption in kubeedge kubeedge
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, EdgeCore may be susceptible to a DoS attack on CloudHub if an attacker was to send a well-crafted HTTP request to `/edge.crt`. If an attacker can send a well-crafted HTTP request to CloudHub, and that request has a very large body, that request can crash the HTTP service through a memory exhaustion vector. The request body is being read into memory, and a body that is larger than the available memory can lead to a successful attack. Because the request would have to make it through authorization, only authorized users may perform this attack. The consequence of the exhaustion is that CloudHub will be in denial of service. KubeEdge is affected only when users enable the CloudHub module in the file `cloudcore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable the CloudHub switch in the config file `cloudcore.yaml`.
AI Analysis
Technical Summary
CVE-2022-31075 is a medium-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting KubeEdge, an open-source platform designed to extend containerized application orchestration to edge hosts. The vulnerability specifically targets the CloudHub module within KubeEdge versions prior to 1.11.1, 1.10.2, and 1.9.4. CloudHub acts as a communication bridge between cloud and edge components. The flaw arises because CloudHub's HTTP service reads the request body into memory without imposing size limits. An authenticated attacker with permission to send HTTP requests to the `/edge.crt` endpoint can craft a request with an excessively large body, leading to memory exhaustion. This uncontrolled consumption of memory resources causes the CloudHub service to crash, resulting in a denial-of-service (DoS) condition. Exploitation requires the attacker to be authorized, as the request must pass authentication and authorization checks. The vulnerability is only present if the CloudHub module is enabled in the `cloudcore.yaml` configuration file. The issue has been resolved in KubeEdge versions 1.11.1, 1.10.2, and 1.9.4. As a temporary mitigation, disabling the CloudHub module in the configuration file prevents exposure to this attack vector. No known exploits have been reported in the wild to date.
Potential Impact
For European organizations deploying KubeEdge at the edge, this vulnerability poses a risk of service disruption through denial-of-service attacks targeting the CloudHub module. The impact primarily affects availability, potentially interrupting critical edge computing workloads that rely on KubeEdge for orchestration and communication between cloud and edge nodes. This can degrade operational continuity, especially in industries such as manufacturing, telecommunications, smart cities, and critical infrastructure where edge computing is increasingly adopted. Since exploitation requires authenticated access, the risk is somewhat mitigated by existing access controls; however, insider threats or compromised credentials could enable attackers to trigger the DoS. The loss of CloudHub availability may cascade into broader service interruptions, affecting data collection, processing, and real-time decision-making at the edge. European organizations with stringent uptime requirements or those operating in regulated sectors may face compliance and operational challenges if this vulnerability is exploited.
Mitigation Recommendations
1. Upgrade affected KubeEdge deployments to versions 1.11.1, 1.10.2, or 1.9.4 or later, where the vulnerability is patched. 2. If immediate upgrading is not feasible, disable the CloudHub module by setting the corresponding switch to 'off' in the `cloudcore.yaml` configuration file to eliminate the attack surface. 3. Implement strict access controls and monitoring on the CloudHub HTTP endpoint to ensure only trusted and authenticated users can send requests, reducing the risk of malicious exploitation. 4. Enforce network segmentation and firewall rules to limit access to CloudHub services from untrusted networks or users. 5. Monitor resource usage metrics on CloudHub hosts to detect abnormal memory consumption patterns that could indicate attempted exploitation. 6. Conduct regular audits of user credentials and authentication logs to detect potential insider threats or compromised accounts. 7. Consider implementing rate limiting or request size restrictions at the network or application layer to prevent excessively large HTTP request bodies from reaching CloudHub. 8. Incorporate this vulnerability into incident response plans to ensure rapid detection and mitigation in case of exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-31075: CWE-400: Uncontrolled Resource Consumption in kubeedge kubeedge
Description
KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, EdgeCore may be susceptible to a DoS attack on CloudHub if an attacker was to send a well-crafted HTTP request to `/edge.crt`. If an attacker can send a well-crafted HTTP request to CloudHub, and that request has a very large body, that request can crash the HTTP service through a memory exhaustion vector. The request body is being read into memory, and a body that is larger than the available memory can lead to a successful attack. Because the request would have to make it through authorization, only authorized users may perform this attack. The consequence of the exhaustion is that CloudHub will be in denial of service. KubeEdge is affected only when users enable the CloudHub module in the file `cloudcore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable the CloudHub switch in the config file `cloudcore.yaml`.
AI-Powered Analysis
Technical Analysis
CVE-2022-31075 is a medium-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting KubeEdge, an open-source platform designed to extend containerized application orchestration to edge hosts. The vulnerability specifically targets the CloudHub module within KubeEdge versions prior to 1.11.1, 1.10.2, and 1.9.4. CloudHub acts as a communication bridge between cloud and edge components. The flaw arises because CloudHub's HTTP service reads the request body into memory without imposing size limits. An authenticated attacker with permission to send HTTP requests to the `/edge.crt` endpoint can craft a request with an excessively large body, leading to memory exhaustion. This uncontrolled consumption of memory resources causes the CloudHub service to crash, resulting in a denial-of-service (DoS) condition. Exploitation requires the attacker to be authorized, as the request must pass authentication and authorization checks. The vulnerability is only present if the CloudHub module is enabled in the `cloudcore.yaml` configuration file. The issue has been resolved in KubeEdge versions 1.11.1, 1.10.2, and 1.9.4. As a temporary mitigation, disabling the CloudHub module in the configuration file prevents exposure to this attack vector. No known exploits have been reported in the wild to date.
Potential Impact
For European organizations deploying KubeEdge at the edge, this vulnerability poses a risk of service disruption through denial-of-service attacks targeting the CloudHub module. The impact primarily affects availability, potentially interrupting critical edge computing workloads that rely on KubeEdge for orchestration and communication between cloud and edge nodes. This can degrade operational continuity, especially in industries such as manufacturing, telecommunications, smart cities, and critical infrastructure where edge computing is increasingly adopted. Since exploitation requires authenticated access, the risk is somewhat mitigated by existing access controls; however, insider threats or compromised credentials could enable attackers to trigger the DoS. The loss of CloudHub availability may cascade into broader service interruptions, affecting data collection, processing, and real-time decision-making at the edge. European organizations with stringent uptime requirements or those operating in regulated sectors may face compliance and operational challenges if this vulnerability is exploited.
Mitigation Recommendations
1. Upgrade affected KubeEdge deployments to versions 1.11.1, 1.10.2, or 1.9.4 or later, where the vulnerability is patched. 2. If immediate upgrading is not feasible, disable the CloudHub module by setting the corresponding switch to 'off' in the `cloudcore.yaml` configuration file to eliminate the attack surface. 3. Implement strict access controls and monitoring on the CloudHub HTTP endpoint to ensure only trusted and authenticated users can send requests, reducing the risk of malicious exploitation. 4. Enforce network segmentation and firewall rules to limit access to CloudHub services from untrusted networks or users. 5. Monitor resource usage metrics on CloudHub hosts to detect abnormal memory consumption patterns that could indicate attempted exploitation. 6. Conduct regular audits of user credentials and authentication logs to detect potential insider threats or compromised accounts. 7. Consider implementing rate limiting or request size restrictions at the network or application layer to prevent excessively large HTTP request bodies from reaching CloudHub. 8. Incorporate this vulnerability into incident response plans to ensure rapid detection and mitigation in case of exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-05-18T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9844c4522896dcbf3619
Added to database: 5/21/2025, 9:09:24 AM
Last enriched: 6/23/2025, 3:50:56 AM
Last updated: 7/24/2025, 9:01:01 AM
Views: 7
Related Threats
CVE-2025-54962: CWE-434 Unrestricted Upload of File with Dangerous Type in thiagoralves OpenPLC_v3
MediumCVE-2025-20698: CWE-787 Out-of-bounds Write in MediaTek, Inc. MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8196, MT8391, MT8676, MT8678, MT8775, MT8786, MT8788E, MT8792, MT8796, MT8873, MT8883, MT8893
HighCVE-2025-20697: CWE-787 Out-of-bounds Write in MediaTek, Inc. MT2718, MT6761, MT6765, MT6768, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6889, MT6893, MT6897, MT6989, MT6991, MT8186, MT8196, MT8391, MT8678, MT8775, MT8786, MT8788E, MT8792, MT8796, MT8873, MT8883, MT8893
HighCVE-2025-20696: CWE-787 Out-of-bounds Write in MediaTek, Inc. MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6813, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6990, MT6991, MT8188, MT8196, MT8370, MT8390, MT8676
HighCVE-2025-54956: CWE-669 Incorrect Resource Transfer Between Spheres in r-lib gh
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.