CVE-2022-31079

Name of the Vulnerable Software and Affected Versions KubeEdge versions prior to 1.11.1 KubeEdge versions prior to 1.10.2 KubeEdge versions prior to 1.9.4

Description The Cloud Stream server and the Edge Stream server read the entire message into memory without imposing a limit on the size of this message. An attacker can exploit this by sending a large message to exhaust memory and cause a denial of service. The Cloud Stream server and the Edge Stream server are under denial of service attack in this case. The consequence of the exhaustion is that the CloudCore and EdgeCore will be in a denial of service. Only an authenticated user can cause this issue. It will be affected only when users enable cloudStream module in the config file cloudcore.yaml and enable edgeStream module in the config file edgecore.yaml.

Recommendations For versions prior to 1.11.1, update to version 1.11.1 or later. For versions prior to 1.10.2, update to version 1.10.2 or later. For versions prior to 1.9.4, update to version 1.9.4 or later. As a temporary workaround, disable the cloudStream module in the config file cloudcore.yaml and disable the edgeStream module in the config file edgecore.yaml, then restart the cloudcore and edgecore processes.