Notice on nginx-ingress Add-On Security Vulnerability (CVE-2021-25748)
Description
The Kubernetes community disclosed an ingress-nginx vulnerability. Users can obtain the credentials used by ingress-controller through the spec.rules[].http.paths[].path field of the ingress object. The credentials can be used to obtain the secrets of all namespaces in the cluster. This vulnerability has been assigned CVE-2021-25748.
Type |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
Privilege escalation |
CVE-2021-25748 |
Medium |
2022-06-10 |
Impact
Users who have the permissions to create or update the spec.rules[].http.paths[].path field in the ingress can use a newline character to bypass the sanitization of the field to obtain the credentials of the ingress controller, with which the users can access the secrets of all namespaces in the cluster.
Identification Method
For CCE clusters of version 1.23 or earlier:
1. If you install your own nginx-ingress, check whether its image tag is earlier than 1.2.1.
2. If you use the nginx-ingress add-on provided by CCE, check whether the version is earlier than or equal to 2.1.0.
Solution
1. Upgrade ingress-nginx to version 1.2.1.
2. If you are running the "chrooted" ingress-nginx controller introduced in version 1.2.0 (gcr.io/Kubernetes-staging-ingress-nginx/controller-chroot), no action is required.
Helpful Links
- CVE-2021-25748: https://github.com/kubernetes/ingress-nginx/issues/8686
- Fixed version released by the community: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.2.1
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.