Hello Kubernetes Community,
A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
This issue has been rated High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and assigned CVE-2024-7646.
Am I vulnerable?
This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running `kubectl get po -A` and looking for `ingress-nginx-controller`.
Multi-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.
Affected Versions
ingress-nginx controller < v1.11.2
How do I mitigate this vulnerability?
This issue can be mitigated by upgrading to the fixed version.
Fixed Versions
ingress-nginx controller v1.11.2
Detection
Review your Kubernetes audit logs for Ingress objects created with annotations (e.g. `nginx.ingress.kubernetes.io/auth-tls-verify-client`) that contain carriage returns (`\r`).
If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io
Additional Details
See the GitHub issue for more details:
https://github.com/kubernetes/kubernetes/issues/126744
Acknowledgements
This vulnerability was reported by André Storfjord Kristiansen @dev-bio.
The issue was fixed and coordinated by the fix team:
André Storfjord Kristiansen @dev-bio
Jintao Zhang @tao12345666333
Marco Ebert @Gacko
Thank You,
Craig Ingram on behalf of the Kubernetes Security Response Committee
|