CVE-2023-2253: Input Validation
First published: Wed Apr 26 2023(Updated: )
### Impact Systems that run `distribution` built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious `/v2/_catalog` API endpoint request. ### Patches Upgrade to at least 2.8.2-beta.1 if you are running `v2.8.x` release. If you use the code from the main branch, update at least to the commit after [f55a6552b006a381d9167e328808565dd2bf77dc](https://github.com/distribution/distribution/commit/f55a6552b006a381d9167e328808565dd2bf77dc). ### Workarounds There is no way to work around this issue without patching. Restrict access to the affected API endpoint: see the recommendations section. ### References `/v2/_catalog` endpoint accepts a parameter to control the maximum amount of records returned (query string: `n`). When not given the default `n=100` is used. The server trusts that `n` has an acceptable value, however when using a maliciously large value, it allocates an array/slice of `n` of strings before filling the slice with data. This behaviour was introduced ~7yrs ago [1]. ### Recommendation The `/v2/_catalog` endpoint was designed specifically to do registry syncs with search or other API systems. Such an endpoint would create a lot of load on the backend system, due to overfetch required to serve a request in certain implementations. Because of this, we strongly recommend keeping this API endpoint behind heightened privilege and avoiding leaving it exposed to the internet. ### For more information If you have any questions or comments about this advisory: * Open an issue in [distribution repository](https://github.com/distribution/distribution) * Email us at [cncf-distribution-security@lists.cncf.io](mailto:cncf-distribution-security@lists.cncf.io) [1] [faulty commit](https://github.com/distribution/distribution/blob/b7e26bac741c76cb792f8e14c41a2163b5dae8df/registry/handlers/catalog.go#L45)
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/docker/distribution | <2.8.2-beta.1 | 2.8.2-beta.1 |
| debian/docker-registry | <=2.6.2~ds1-2 | 2.6.2~ds1-2+deb10u1 2.7.1+ds2-7+deb11u1 2.8.2+ds1-1 |
| ubuntu/docker-registry | <2.8.2+ | 2.8.2+ |
| ubuntu/docker-registry | <2.8.0+ | 2.8.0+ |
| ubuntu/docker-registry | <2.8.1+ | 2.8.1+ |
| ubuntu/docker-registry | <2.6.2~ | 2.6.2~ |
| ubuntu/docker-registry | <2.3.0~ | 2.3.0~ |
| ubuntu/docker-registry | <2.7.1+ | 2.7.1+ |
| redhat/distribution | <2.8.2 | 2.8.2 |
| IBM Cloud Pak for Business Automation | <=V23.0.1 | |
| IBM Cloud Pak for Business Automation | <=V21.0.3 - V21.0.3-IF022 | |
| IBM Cloud Pak for Business Automation | <=V22.0.2 - V22.0.2-IF006 and later fixesV22.0.1 - V22.0.1-IF006 and later fixesV21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes | |
| Redhat Openshift Api For Data Protection | ||
| Redhat Openshift Container Platform | =4.0 | |
| Redhat Openshift Developer Tools And Services |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=2189886
- https://lists.debian.org/debian-lts-announce/2023/06/msg00035.html
- https://github.com/distribution/distribution/security/advisories/GHSA-hqxw-f8mx-cpmw
- https://github.com/distribution/distribution/commit/f55a6552b006a381d9167e328808565dd2bf77dc
- https://nvd.nist.gov/vuln/detail/CVE-2023-2253
- https://github.com/advisories/GHSA-hqxw-f8mx-cpmw (Advisory)
- https://launchpad.net/bugs/cve/CVE-2023-2253
- https://github.com/distribution/distribution/commit/521ea3d973cb0c7089ebbcdd4ccadc34be941f54
- https://www.openwall.com/lists/oss-security/2023/05/09/1
- https://security-tracker.debian.org/tracker/CVE-2023-2253
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2253
- https://ubuntu.com/security/notices/USN-6336-1
- https://ubuntu.com/security/CVE-2023-2253
- https://access.redhat.com/errata/RHSA-2023:4091
- https://access.redhat.com/security/cve/cve-2023-2253
- https://access.redhat.com/errata/RHSA-2023:5155
- https://access.redhat.com/errata/RHSA-2023:5314
- https://access.redhat.com/errata/RHSA-2023:5390
- https://access.redhat.com/errata/RHSA-2023:5697
- https://exchange.xforce.ibmcloud.com/vulnerabilities/254846
- https://www.ibm.com/support/pages/node/7015271 (Advisory)
Frequently Asked Questions
What is CVE-2023-2253?
CVE-2023-2253 is a vulnerability in the distribution/distribution software that allows a malicious user to cause a denial of service through improper input validation.
What is the severity of CVE-2023-2253?
CVE-2023-2253 has a severity rating of 7.5, which is considered high.
How does CVE-2023-2253 work?
CVE-2023-2253 works by accepting an unreasonably large value for the 'n' parameter in the '/v2/_catalog' endpoint, leading to the allocation of a massive amount of memory and causing a denial of service.
Is there a fix for CVE-2023-2253?
Yes, the vulnerability can be fixed by updating to version 2.8.2 or higher of the docker-registry package.
Where can I find more information about CVE-2023-2253?
More information about CVE-2023-2253 can be found at the following references: [CVE-2023-2253](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2253), [GitHub Commit](https://github.com/distribution/distribution/commit/521ea3d973cb0c7089ebbcdd4ccadc34be941f54), [Openwall Security Mailing List](https://www.openwall.com/lists/oss-security/2023/05/09/1).
- collector/github-advisory-latest
- alias/GHSA-hqxw-f8mx-cpmw
- alias/CVE-2023-2253
- collector/github-advisory
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- collector/redhat-bugzilla
- source/Red Hat
- agent/weakness
- agent/severity
- agent/event
- agent/description
- agent/references
- agent/softwarecombine
- agent/tags
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- source/NVD
- package-manager/go
- package-manager/debian
- package-manager/ubuntu
- package-manager/redhat
- vendor/ibm
- canonical/ibm cloud pak for business automation
- version/ibm cloud pak for business automation/v23.0.1
- version/ibm cloud pak for business automation/v21.0.3 - v21.0.3-if022
- version/ibm cloud pak for business automation/v22.0.2 - v22.0.2-if006 and later fixesv22.0.1 - v22.0.1-if006 and later fixesv21.0.2 - v21.0.2-if012 and later fixesv21.0.1 - v21.0.1-if007 and later fixesv20.0.1 - v20.0.3 and later fixesv19.0.1 - v19.0.3 and later fixesv18.0.0 - v18.0.2 and later fixes
- vendor/redhat
- canonical/redhat openshift api for data protection
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.0
- canonical/redhat openshift developer tools and services