Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice on nginx-ingress Add-On Security Vulnerability (CVE-2021-25748)
Updated on 2023-11-15 GMT+08:00

Notice on nginx-ingress Add-On Security Vulnerability (CVE-2021-25748)

Description

The Kubernetes community disclosed an ingress-nginx vulnerability. Users can obtain the credentials used by ingress-controller through the spec.rules[].http.paths[].path field of the ingress object. The credentials can be used to obtain the secrets of all namespaces in the cluster. This vulnerability has been assigned CVE-2021-25748.

Table 1 Vulnerability information

Type

CVE-ID

Severity

Discovered

Privilege escalation

CVE-2021-25748

Medium

2022-06-10

Impact

Users who have the permissions to create or update the spec.rules[].http.paths[].path field in the ingress can use a newline character to bypass the sanitization of the field to obtain the credentials of the ingress controller, with which the users can access the secrets of all namespaces in the cluster.

Identification Method

For CCE clusters of version 1.23 or earlier:

1. If you install your own nginx-ingress, check whether its image tag is earlier than 1.2.1.

2. If you use the nginx-ingress add-on provided by CCE, check whether the version is earlier than or equal to 2.1.0.

Solution

1. Upgrade ingress-nginx to version 1.2.1.

2. If you are running the "chrooted" ingress-nginx controller introduced in version 1.2.0 (gcr.io/Kubernetes-staging-ingress-nginx/controller-chroot), no action is required.