Описание
Helm is a tool for managing Charts. A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to terminate. This issue has been resolved in Helm v3.17.3.
A flaw was found in Helm v3. In affected versions of Helm, a specially crafted chart archive file can cause Helm to use all available memory and have an out of memory (OOM) termination. A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (for example, >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to terminate.
Отчет
Within regulated environments, a combination of the following controls acts as a significant barrier to successful exploitation of a CWE-770: Allocation of Resources Without Limits or Throttling or CWE-789: Memory Allocation with Excessive Size Value vulnerability, and therefore, downgrades the severity of this particular CVE from Moderate to Low. Red Hat applies secure baseline configurations to define memory limits, resource thresholds, and execution parameters across containerized workloads, reducing the risk of uncontrolled resource allocation. Concurrent session controls limit active sessions and resource-heavy operations per user, preventing abuse through amplification or repeated access. System monitoring continuously evaluates memory, CPU, and I/O usage to detect patterns indicative of resource exhaustion or denial of service attempts. Memory protection enforces allocation limits and isolated memory spaces to prevent system instability from unbounded requests. Additionally, process isolation ensures workloads remain contained, preventing excessive resource use in one container from affecting others.
Меры по смягчению последствий
To mitigate this vulnerability, ensure that any chart archive files being loaded by Helm do not contain files that are large enough to cause the Helm Client or SDK to use up available memory leading to a termination.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-acmesolver-rhel9 | Fix deferred | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Fix deferred | ||
| Deployment Validation Operator | deployment-validation-operator-container | Fix deferred | ||
| Multicluster Engine for Kubernetes | multicluster-engine/addon-manager-rhel9 | Fix deferred | ||
| Multicluster Engine for Kubernetes | multicluster-engine/backplane-rhel9-operator | Fix deferred | ||
| Multicluster Engine for Kubernetes | multicluster-engine/cluster-proxy-rhel9 | Fix deferred | ||
| Multicluster Engine for Kubernetes | multicluster-engine/hypershift-addon-rhel9-operator | Fix deferred | ||
| Multicluster Engine for Kubernetes | multicluster-engine/managed-serviceaccount-rhel8 | Fix deferred | ||
| Multicluster Engine for Kubernetes | multicluster-engine/multicloud-manager-rhel8 | Fix deferred | ||
| Multicluster Engine for Kubernetes | multicluster-engine/placement-rhel8 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Helm is a tool for managing Charts. A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to terminate. This issue has been resolved in Helm v3.17.3.
Helm is a tool for managing Charts. A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to terminate. This issue has been resolved in Helm v3.17.3.
Helm is a tool for managing Charts. A chart archive file can be crafte ...
Helm Allows A Specially Crafted Chart Archive To Cause Out Of Memory Termination
EPSS
6.5 Medium
CVSS3