Notice on nginx-ingress Security Vulnerabilities (CVE-2021-25745 and CVE-2021-25746)

Description

The Kubernetes open source community has disclosed two nginx-ingress vulnerabilities:

1. CVE-2021-25745: When creating or updating an ingress, a user who has permissions can use the spec.rules[].http.paths[].path field to obtain the credentials of the ingress controller. The credentials can be used to obtain the secrets of all namespaces in the cluster.

2. CVE-2021-25746: When creating or updating an ingress, a user who has permissions can use the .metadata.annotations field to obtain the credentials used by the ingress controller. The credentials can be used to obtain the secrets of all namespaces in the cluster.

Impact

These vulnerabilities affect multi-tenant CCE clusters where common users have permissions to create ingresses.

Identification Method

For CCE clusters and CCE Turbo clusters of version 1.23 or earlier:

1. If you install your own nginx-ingress, check whether its image tag is earlier than 1.2.0.

2. If you use the nginx-ingress add-on provided by CCE, check whether the version is earlier than 2.1.0.

Solution

1. For CVE-2021-25745: Implement an admission policy to restrict the spec.rules[].http.paths[].path field in networking.k8s.io/Ingress to known safe characters (see the latest rules in the Kubernetes community or use the suggested value in annotation-value-word-blocklist).

2. For CVE-2021-25746: Implement an admission policy to restrict the metadata.annotations values to known safe characters (see the latest rules in the Kubernetes community or use the suggested value in annotation-value-word-blocklist).

Helpful Links

1. CVE-2021-25745: https://github.com/kubernetes/ingress-nginx/issues/8502
2. CVE-2021-25746: https://github.com/kubernetes/ingress-nginx/issues/8503
3. Fixed version released by the community: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.2.0