containerd CRI Attach Implementation Memory Exhaustion Vulnerability

A memory exhaustion vulnerability has been identified in containerd versions 1.7.28 and prior, as well as in the 2.0.0-beta.0 to 2.0.6, 2.1.0-beta.0 to 2.1.4, and 2.2.0-beta.0 to 2.2.0-rc.1 releases. The issue arises from goroutine leaks in the CRI Attach functionality, allowing a user to deplete host memory. This vulnerability can be exploited by making repeated CRI Attach calls, such as through 'kubectl attach', which could lead to increased memory consumption by containerd.

Impact

Exploitation of this vulnerability causes a memory leak on the host, leading to increased memory usage by the containerd process. This can potentially exhaust available system memory, causing performance degradation or application failures.

Remediation

Users can update to containerd versions 1.7.29, 2.0.7, 2.1.5, or 2.2.0 to address this vulnerability. Additionally, an admission controller can be set up to manage access to 'pods/attach' resources as a temporary workaround.