Container Service for Kubernetes:CVE-2023-25153 and CVE-2023-25173

• CVE-2023-25153: No limit is imposed on the number of bytes that can be read from specific files when the system imports an Open Container Initiative (OCI) image. Attackers can exploit this vulnerability to launch a DoS attack by creating and importing an image that contains a large file on which no such limit is imposed.
• CVE-2023-25173: If a user can directly access a container where supplementary groups are not properly configured and manipulate the supplementary group access, the user can use the supplementary group access to bypass primary group restrictions in specific cases and gain the permissions to access sensitive information or execute code in the container.

Scope of impact

The following containerd versions are affected:

• 1.6.0 to 1.6.17
• ≤ 1.5.17

This vulnerability is fixed in the following containerd versions:

• 1.6.18
• 1.5.18

Mitigation

You can use the following methods to mitigate the impact of the vulnerabilities:

• Enable the ACKAllowedRepos policy provided by the policy governance feature of Container Service for Kubernetes (ACK) to ensure that only trusted images are used. In addition, follow the principle of least privilege and grant only trusted users the permissions to import images. For more information, see Configure and enforce ACK pod security policies.
• Before the vulnerabilities are fixed, do not specify the USER $USERNAME parameter when you build images with Dockerfiles. Instead, set the ENTRYPOINT parameter to a value in the ENTRYPOINT ["su", "-", "user"] format to allow su to properly configure supplementary groups.
• Pay attention to the release notes of ACK and update containerd to fix this vulnerability at the earliest opportunity. For more information about the release notes of containerd, see Release notes for containerd.