CVE-2023-25153: 
Docker Compose vulnerability analysis and mitigation

A vulnerability was discovered in containerd (CVE-2023-25153) where when importing an OCI image, there was no limit on the number of bytes read for certain files. The vulnerability was discovered by David Korczynski and Adam Korczynski of ADA Logics during a security fuzzing audit sponsored by CNCF. The issue was fixed in containerd versions 1.5.18 and 1.6.18, released on February 16, 2023 (GitHub Advisory).

The vulnerability stems from the lack of byte reading limits when processing certain files during OCI image imports. The fix implemented in the patch involves adding a limit to the JSON decoder by using io.LimitReader with a 20MiB limit for processing JSON files (Containerd Commit). The severity of this vulnerability is rated as Moderate and is categorized under CWE-400 (Uncontrolled Resource Consumption) (GitHub Advisory).

A maliciously crafted image with a large file where a limit was not applied could cause a denial of service, potentially affecting the availability of container services (GitHub Advisory).

The primary mitigation is to update to containerd versions 1.5.18 or 1.6.18, which include the security fix. As a workaround, users should ensure that only trusted images are used and that only trusted users have permissions to import images (GitHub Advisory). Ubuntu users can update their systems to specific package versions: Ubuntu 23.04 (1.6.12-0ubuntu3.1), Ubuntu 22.10 (1.6.12-0ubuntu1~22.10.2), Ubuntu 22.04 (1.6.12-0ubuntu1~22.04.3), Ubuntu 20.04 (1.6.12-0ubuntu1~20.04.3) (Ubuntu Notice).