Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

[Ingress-nginx Security Advisory] CVE-2024-7646: Ingress-nginx Annotation Validation Bypass

1,856 views
Skip to first unread message

Craig Ingram

unread,
Aug 16, 2024, 1:08:03 PM8/16/24
to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributors-announce

Hello Kubernetes Community,


A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.


This issue has been rated High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and assigned CVE-2024-7646.


Am I vulnerable?

This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running `kubectl get po -A` and looking for `ingress-nginx-controller`.


Multi-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.


Affected Versions


ingress-nginx controller < v1.11.2


How do I mitigate this vulnerability?


This issue can be mitigated by upgrading to the fixed version. 

Fixed Versions

ingress-nginx controller v1.11.2


Detection


Review your Kubernetes audit logs for Ingress objects created with annotations (e.g. `nginx.ingress.kubernetes.io/auth-tls-verify-client`) that contain carriage returns (`\r`).


If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io


Additional Details

See the GitHub issue for more details: 

https://github.com/kubernetes/kubernetes/issues/126744 


Acknowledgements

This vulnerability was reported by André Storfjord Kristiansen @dev-bio. 


The issue was fixed and coordinated by the fix team:

André Storfjord Kristiansen @dev-bio

Jintao Zhang @tao12345666333

Marco Ebert @Gacko


Thank You,


Craig Ingram on behalf of the Kubernetes Security Response Committee



--

Craig Ingram
Security Engineer
cjin...@google.com
Reply all
Reply to author
Forward
0 new messages