CVE-2023-25153
Denial of Service vulnerability in containerd (Go)
What is CVE-2023-25153 About?
This vulnerability is a denial of service flaw in OCI image import, stemming from an unlimited read from an io.Reader. A large, maliciously crafted image can exhaust system resources, making it relatively easy to exploit with such a payload.
Affected Software
- github.com/containerd/containerd
- >1.6.0, <1.6.18
- <1.5.18
Technical Details
The vulnerability occurs during the import process of an OCI (Open Container Initiative) image. Specifically, the ImportIndex function, which takes an io.Reader as input, lacks a mechanism to limit the number of bytes read from this reader. An attacker can provide a very large or maliciously constructed OCI image via this io.Reader. As the system attempts to import and process this oversized input without byte limits, it consumes excessive memory or disk resources, leading to a denial of service condition by exhausting available system resources.
What is the Impact of CVE-2023-25153?
Successful exploitation may allow attackers to cause a denial of service, leading to system unresponsiveness or crashes.
What is the Exploitability of CVE-2023-25153?
Exploitation requires the ability to provide a crafted OCI image during the import process. The complexity is low to medium, as it primarily involves creating an oversized or malformed image. There are no explicit authentication or privilege requirements mentioned for the act of importing, though access to an import function is necessary. This is likely a remote attack if the OCI image can be supplied over a network. The main constraint is the availability of an OCI image import function to a potential attacker. Risk factors include systems that automatically process OCI images from untrusted sources or allow authenticated users to import images without proper size validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-25153?
Available Upgrade Options
- github.com/containerd/containerd
- <1.5.18 → Upgrade to 1.5.18
- github.com/containerd/containerd
- >1.6.0, <1.6.18 → Upgrade to 1.6.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-259w-8hf6-59c2
- https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4
- https://github.com/containerd/containerd/releases/tag/v1.6.18
- https://github.com/containerd/containerd
- https://pkg.go.dev/vuln/GO-2023-1573
- https://github.com/containerd/containerd/releases/tag/v1.5.18
- https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4
- https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2
- https://github.com/containerd/containerd/releases/tag/v1.5.18
- https://nvd.nist.gov/vuln/detail/CVE-2023-25153
What are Similar Vulnerabilities to CVE-2023-25153?
Similar Vulnerabilities: CVE-2022-42004 , CVE-2023-26144 , CVE-2023-1370 , CVE-2022-36944 , CVE-2020-14195
