Escalation of Privilege Vulnerabilities in Kubernetes ingress-nginx controller (CVE-2022-4886, CVE-2023-5043, CVE-2023-5044)

[Fleury, Terry]

CI Operators:

Kubernetes has announced three vulnerabilities [1,2,3] in the ingress-nginx controller [4]. All three vulnerabilities have been rated as "High" severity.

 

Impact:

Each of the three vulnerabilities enables an attacker to obtain the credentials of the ingress-nginx controller (via different mechanisms). In a default configuration, this credential has access to all secrets in the cluster. 

 

Affected Software: 

ingress-nginx < v1.8.0 for CVE-2022-4886

Ingress-nginx < v1.9.0 for CVE-2023-5043 and CVE-2023-5044

 

Recommendation:

Update your Kubernetes ingress-nginx controller to v1.9.0 (or later) as soon as possible. To mitigate the issue, Ingress Administrators can set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields. Also, Ingress Administrators should allow pathType to be only Exact or Prefix, not ImplementationSpecific. See the "Mitigation" section of [1] for more information.

 

Note: if your Kubernetes cluster does not rely on the ingress-nginx controller, you are not affected. If you are running the “chrooted” ingress-nginx controller introduced in v1.2.0, command execution is possible but credential extraction is not, so the High severity does not apply. 

 

References:

[1] https://groups.google.com/g/kubernetes-security-announce/c/ge7u3qCwZLI/m/kVMHKhS0BAAJ

[2] https://groups.google.com/g/kubernetes-security-announce/c/pVsXsOpxYZo/m/uWRQQRS0BAAJ

[3] https://groups.google.com/g/kubernetes-security-announce/c/ukuYYvRNel0/m/-QdjShS0BAAJ

[4] https://github.com/kubernetes/ingress-nginx 

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.