CVE-2020-16843: Firecracker v0.20.0, v0.21.0 and v0.21.1 network stack can freeze under heavy ingress traffic #2057
Labels
Type: Bug
Indicates an unexpected problem or unintended behavior
Comments
This was referenced Aug 3, 2020
Merged
Merged
Merged
ioanachirca
changed the title
9 tasks
amshinde
added a commit
to amshinde/kata-runtime
that referenced
this issue
Dec 3, 2020
In addition to features related to gathering metrics around several data-points, the releases leading to this release carry a few secirty fixes. Lets update to latest fircracker release. References: firecracker-microvm/firecracker#2057 firecracker-microvm/firecracker#2177 Fixes: kata-containers#3095 Signed-off-by: Archana Shinde <[email protected]>
amshinde
added a commit
to amshinde/kata-runtime
that referenced
this issue
Dec 9, 2020
Release included important security updates. References: firecracker-microvm/firecracker#2057 firecracker-microvm/firecracker#2177 Fixes: kata-containers#3095 Signed-off-by: Archana Shinde <[email protected]>
amshinde
added a commit
to amshinde/kata-runtime
that referenced
this issue
Dec 9, 2020
Release included important security updates. References: firecracker-microvm/firecracker#2057 firecracker-microvm/firecracker#2177 Fixes: kata-containers#3095 Signed-off-by: Archana Shinde <[email protected]> (cherry picked from commit 11c8c19)
amshinde
added a commit
to amshinde/kata-runtime
that referenced
this issue
Dec 9, 2020
Release included important security updates. References: firecracker-microvm/firecracker#2057 firecracker-microvm/firecracker#2177 Fixes: kata-containers#3095 Signed-off-by: Archana Shinde <[email protected]> (cherry picked from commit 11c8c19)
This was referenced Dec 9, 2020
amshinde
added a commit
to amshinde/kata-runtime
that referenced
this issue
Dec 11, 2020
Release included important security updates. References: firecracker-microvm/firecracker#2057 firecracker-microvm/firecracker#2177 Fixes: kata-containers#3095 Depends-on: github.com/kata-containers/osbuilder#508 (cherry picked from commit 11c8c19) Signed-off-by: Archana Shinde <[email protected]>
amshinde
added a commit
to amshinde/kata-runtime
that referenced
this issue
Dec 11, 2020
Release included important security updates. References: firecracker-microvm/firecracker#2057 firecracker-microvm/firecracker#2177 Fixes: kata-containers#3095 Depends-on: github.com/kata-containers/osbuilder#508 (cherry picked from commit 11c8c19) Signed-off-by: Archana Shinde <[email protected]>
amshinde
added a commit
to amshinde/kata-runtime
that referenced
this issue
Dec 23, 2020
Release included important security updates. References: firecracker-microvm/firecracker#2057 firecracker-microvm/firecracker#2177 Fixes: kata-containers#3095 (cherry picked from commit 11c8c19) Signed-off-by: Archana Shinde <[email protected]>
raduweiss
added
the
Type: Bug
|
Looks like everything here has been resolved for a few months. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have identified an issue in the Firecracker v0.20.0, v0.21.0 and v0.21.1 virtio-net emulation.
Issue Description
Under heavy network ingress traffic, when the host TAP interface's receive queue is not drained and the guest virtio-net device's receive queue is full, the microVM network interface ingress can freeze. There is no possibility to recover from this state, resulting in a denial of service on the microVM when it is configured with a single network interface, and causing an availability problem for the microVM network interface on which the issue is triggered.
This issue is difficult to reproduce with TCP traffic. The TCP congestion algorithm makes it harder to fill both the TAP interface and virtio receive queues.
Impact
When this issue is triggered, the guest kernel network interface will no longer receive packets.
Vulnerable Systems
Firecracker releases v0.20.0, v0.21.0 and v0.21.1 are affected.
Mitigation
Patched binaries mitigating this issue have been released as Firecracker v0.20.1[1] and Firecracker v0.21.2[2].
If you are using Firecracker v0.20.0, v0.21.0 or v0.21.1, we recommend you apply the provided fix. If you are using Firecracker v0.19.1 or below, you do not need to take any action.
[1] https://github.com/firecracker-microvm/firecracker/releases/tag/v0.20.1
[2] https://github.com/firecracker-microvm/firecracker/releases/tag/v0.21.2
The text was updated successfully, but these errors were encountered: