Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice of the NGINX Ingress Controller Vulnerability That Allows Attackers to Bypass Annotation Validation (CVE-2024-7646)
Updated on 2024-09-02 GMT+08:00

Notice of the NGINX Ingress Controller Vulnerability That Allows Attackers to Bypass Annotation Validation (CVE-2024-7646)

Description

Table 1 Vulnerability details

Type

CVE-ID

Severity

Discovered

Validation bypass and command injection

CVE-2024-7646

Critical

2024-08-19

Impact

Attackers with permissions to create ingresses in Kubernetes clusters (in networking.k8s.io or extensions API group) can exploit a vulnerability in ingress-nginx earlier than v1.11.2. This allows them to bypass annotation validation and inject arbitrary commands, potentially gaining access to the credentials of the ingress-nginx controller and sensitive information in a cluster.

Identification Method

This vulnerability affects CCE clusters that have NGINX Ingress Controller add-on versions earlier than 3.0.7. If the version is 3.0.7 or later, the CCE clusters are not at risk. You can check whether a cluster is affected by this vulnerability by doing as follows:

  1. Use kubectl to search for pods related to cceaddon-nginx-ingress.
    kubectl get po -A | grep cceaddon-nginx-ingress

    If similar information is displayed, the NGINX Ingress Controller add-on has been installed in the cluster.

  2. Check the nginx-ingress image version used by the NGINX Ingress Controller add-on.
    kubectl get deploy cceaddon-nginx-ingress-controller -nkube-system -oyaml|grep -w image

    If the installed NGINX Ingress Controller add-on has an nginx-ingress version earlier than v1.11.2, this vulnerability is present.

Mitigation

CCE will release a new version of the NGINX Ingress Controller add-on that addresses this vulnerability. Keep an eye out for NGINX Ingress Controller Release History. Until the issue is resolved, it is best to limit the creation and management of ingresses to trusted users who have been granted the necessary permissions based on the principle of least privilege.

To address the vulnerability, the community has released nginx-ingress v1.11.2. However, it is important to note that this version is only compatible with Kubernetes 1.26 or later. If your CCE cluster version is earlier than v1.27, you will need to upgrade the cluster version first.

Helpful Links

Fixed version released by the community: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.2