[Ingress-nginx Security Advisory] CVE-2024-7646: Ingress-nginx Annotation Validation Bypass

26 views
Skip to first unread message

Craig Ingram

unread,
Aug 16, 2024, 1:07:59 PM8/16/24
to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributors-announce

Hello Kubernetes Community,


A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.


This issue has been rated High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and assigned CVE-2024-7646.


Am I vulnerable?

This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running `kubectl get po -A` and looking for `ingress-nginx-controller`.


Multi-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.


Affected Versions


ingress-nginx controller < v1.11.2


How do I mitigate this vulnerability?


This issue can be mitigated by upgrading to the fixed version. 

Fixed Versions

ingress-nginx controller v1.11.2


Detection


Review your Kubernetes audit logs for Ingress objects created with annotations (e.g. `nginx.ingress.kubernetes.io/auth-tls-verify-client`) that contain carriage returns (`\r`).


If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io


Additional Details

See the GitHub issue for more details: 

https://github.com/kubernetes/kubernetes/issues/126744 


Acknowledgements

This vulnerability was reported by André Storfjord Kristiansen @dev-bio. 


The issue was fixed and coordinated by the fix team:

André Storfjord Kristiansen @dev-bio

Jintao Zhang @tao12345666333

Marco Ebert @Gacko


Thank You,


Craig Ingram on behalf of the Kubernetes Security Response Committee



--

Craig Ingram
Security Engineer
cjin...@google.com

Red Hat Product Security

unread,
Aug 19, 2024, 4:30:40 AM8/19/24
to kubernetes-sec...@googlegroups.com, distributo...@kubernetes.io, kubernete...@googlegroups.com, kubernetes-se...@googlegroups.com, d...@kubernetes.io

Hello!

INC3040138 ([Ingress-nginx Security Advisory] CVE-2024-7646: Ingress-nginx Annotation Validation Bypass) has been resolved.

Opened for: distributo...@kubernetes.io
Followers: kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io

Abhishek Raj updated your request with the following comments:

Hi ,
 
This response acknowledges the information without requiring further action.
 
Thanks!

How can I track and update my request?

We want to make sure we have provided you with a complete resolution.

Please review the resolution detail and let us know whether you are all set by approving the resolution.

Thank you,
Product Security

 
Ref:MSG93620081
Reply all
Reply to author
Forward
0 new messages