CI Operators:
Kubernetes has announced three vulnerabilities [1,2,3] in the ingress-nginx controller [4]. All three vulnerabilities have been rated as "High" severity.
Impact:
Each of the three vulnerabilities enables an attacker to obtain the credentials of the ingress-nginx controller (via different mechanisms). In a default configuration, this credential has access to all secrets in the cluster.
Affected Software:
ingress-nginx < v1.8.0 for CVE-2022-4886
Ingress-nginx < v1.9.0 for CVE-2023-5043 and CVE-2023-5044
Recommendation:
Update your Kubernetes ingress-nginx controller to v1.9.0 (or later) as soon as possible. To mitigate the issue, Ingress Administrators can set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields. Also, Ingress Administrators should allow pathType to be only Exact or Prefix, not ImplementationSpecific. See the "Mitigation" section of [1] for more information.
Note: if your Kubernetes cluster does not rely on the ingress-nginx controller, you are not affected. If you are running the “chrooted” ingress-nginx controller introduced in v1.2.0, command execution is possible but credential extraction is not, so the High severity does not apply.
References:
[1] https://groups.google.com/g/kubernetes-security-announce/c/ge7u3qCwZLI/m/kVMHKhS0BAAJ
[2] https://groups.google.com/g/kubernetes-security-announce/c/pVsXsOpxYZo/m/uWRQQRS0BAAJ
[3] https://groups.google.com/g/kubernetes-security-announce/c/ukuYYvRNel0/m/-QdjShS0BAAJ
[4] https://github.com/kubernetes/ingress-nginx
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.