CVE-2022-23648: 
Docker vulnerability analysis and mitigation

CVE-2022-23648 is a security vulnerability discovered in containerd, affecting versions prior to 1.6.1, 1.5.10, and 1.4.13. The vulnerability was reported by Felix Wilhelm of Google's Project Zero on November 22, 2021, and patched on March 2, 2022. The issue affects containerd's CRI (Container Runtime Interface) implementation, which is commonly used in Kubernetes environments (Crowdstrike Blog, GitHub Advisory).

The vulnerability resides in containerd's CRI plugin that handles OCI image specifications containing 'Volumes'. The issue stems from the plugin's failure to validate paths in the Config.Volumes field before using them in runtime field mounts. An attacker can exploit this by adding a Volume containing path traversal to the image and use it to copy arbitrary files from the host to container mounted paths. The vulnerability exists in the copyExistingContents function, where attacker-controlled volume paths are used as a source (Crowdstrike Blog).

When exploited, this vulnerability allows containers launched through containerd's CRI implementation with specially-crafted image configurations to gain access to read-only copies of arbitrary files and directories on the host. This can bypass policy-based enforcement on container setup, including Kubernetes Pod Security Policies, potentially exposing sensitive information (GitHub Advisory).

The primary mitigation is to upgrade to the patched versions: containerd 1.6.1, 1.5.10, or 1.4.13. If immediate patching is not possible, users should ensure that only trusted images are used in their environment. The CrowdStrike Falcon platform provides additional protection by identifying image blob configurations with path traversal in Volume paths and preventing malicious images from being deployed to the cluster (Crowdstrike Blog, GitHub Advisory).