CVE-2022-31075

Name of the Vulnerable Software and Affected Versions KubeEdge versions prior to 1.11.1 KubeEdge versions prior to 1.10.2 KubeEdge versions prior to 1.9.4

Description EdgeCore may be susceptible to a DoS attack on CloudHub if an attacker sends a well-crafted HTTP request to "/edge.crt". If the request has a very large body, it can crash the HTTP service through a memory exhaustion vector. The request body is being read into memory, and a body larger than the available memory can lead to a successful attack. Only authorized users can perform this attack, as the request must pass through authorization. The consequence of the exhaustion is that CloudHub will be in denial of service. This issue affects KubeEdge only when the CloudHub module is enabled in the file cloudcore.yaml.

Recommendations For versions prior to 1.11.1, update to version 1.11.1 or later. For versions prior to 1.10.2, update to version 1.10.2 or later. For versions prior to 1.9.4, update to version 1.9.4 or later. As a temporary workaround, disable the CloudHub switch in the config file cloudcore.yaml.