Skip to main content

CVE-2022-31075: CWE-400: Uncontrolled Resource Consumption in kubeedge kubeedge

Medium
Published: Mon Jul 11 2022 (07/11/2022, 20:15:12 UTC)
Source: CVE
Vendor/Project: kubeedge
Product: kubeedge

Description

KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge. Prior to versions 1.11.1, 1.10.2, and 1.9.4, EdgeCore may be susceptible to a DoS attack on CloudHub if an attacker was to send a well-crafted HTTP request to `/edge.crt`. If an attacker can send a well-crafted HTTP request to CloudHub, and that request has a very large body, that request can crash the HTTP service through a memory exhaustion vector. The request body is being read into memory, and a body that is larger than the available memory can lead to a successful attack. Because the request would have to make it through authorization, only authorized users may perform this attack. The consequence of the exhaustion is that CloudHub will be in denial of service. KubeEdge is affected only when users enable the CloudHub module in the file `cloudcore.yaml`. This bug has been fixed in Kubeedge 1.11.1, 1.10.2, and 1.9.4. As a workaround, disable the CloudHub switch in the config file `cloudcore.yaml`.

AI-Powered Analysis

AILast updated: 06/23/2025, 03:50:56 UTC

Technical Analysis

CVE-2022-31075 is a medium-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting KubeEdge, an open-source platform designed to extend containerized application orchestration to edge hosts. The vulnerability specifically targets the CloudHub module within KubeEdge versions prior to 1.11.1, 1.10.2, and 1.9.4. CloudHub acts as a communication bridge between cloud and edge components. The flaw arises because CloudHub's HTTP service reads the request body into memory without imposing size limits. An authenticated attacker with permission to send HTTP requests to the `/edge.crt` endpoint can craft a request with an excessively large body, leading to memory exhaustion. This uncontrolled consumption of memory resources causes the CloudHub service to crash, resulting in a denial-of-service (DoS) condition. Exploitation requires the attacker to be authorized, as the request must pass authentication and authorization checks. The vulnerability is only present if the CloudHub module is enabled in the `cloudcore.yaml` configuration file. The issue has been resolved in KubeEdge versions 1.11.1, 1.10.2, and 1.9.4. As a temporary mitigation, disabling the CloudHub module in the configuration file prevents exposure to this attack vector. No known exploits have been reported in the wild to date.

Potential Impact

For European organizations deploying KubeEdge at the edge, this vulnerability poses a risk of service disruption through denial-of-service attacks targeting the CloudHub module. The impact primarily affects availability, potentially interrupting critical edge computing workloads that rely on KubeEdge for orchestration and communication between cloud and edge nodes. This can degrade operational continuity, especially in industries such as manufacturing, telecommunications, smart cities, and critical infrastructure where edge computing is increasingly adopted. Since exploitation requires authenticated access, the risk is somewhat mitigated by existing access controls; however, insider threats or compromised credentials could enable attackers to trigger the DoS. The loss of CloudHub availability may cascade into broader service interruptions, affecting data collection, processing, and real-time decision-making at the edge. European organizations with stringent uptime requirements or those operating in regulated sectors may face compliance and operational challenges if this vulnerability is exploited.

Mitigation Recommendations

1. Upgrade affected KubeEdge deployments to versions 1.11.1, 1.10.2, or 1.9.4 or later, where the vulnerability is patched. 2. If immediate upgrading is not feasible, disable the CloudHub module by setting the corresponding switch to 'off' in the `cloudcore.yaml` configuration file to eliminate the attack surface. 3. Implement strict access controls and monitoring on the CloudHub HTTP endpoint to ensure only trusted and authenticated users can send requests, reducing the risk of malicious exploitation. 4. Enforce network segmentation and firewall rules to limit access to CloudHub services from untrusted networks or users. 5. Monitor resource usage metrics on CloudHub hosts to detect abnormal memory consumption patterns that could indicate attempted exploitation. 6. Conduct regular audits of user credentials and authentication logs to detect potential insider threats or compromised accounts. 7. Consider implementing rate limiting or request size restrictions at the network or application layer to prevent excessively large HTTP request bodies from reaching CloudHub. 8. Incorporate this vulnerability into incident response plans to ensure rapid detection and mitigation in case of exploitation attempts.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2022-05-18T00:00:00.000Z
Cisa Enriched
true

Threat ID: 682d9844c4522896dcbf3619

Added to database: 5/21/2025, 9:09:24 AM

Last enriched: 6/23/2025, 3:50:56 AM

Last updated: 8/4/2025, 2:34:22 AM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats