[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [kubernetes] CVE-2021-25742: Ingress-nginx custom snippets allows retrieval of ingres
From: CJ Cullen <cjcullen () google ! com>
Date: 2021-10-21 16:26:08
Message-ID: CABdrxGAGO99O4ZfiCMO2tqmjSZtDZE+q9vL3cUP0AkMGjFCPMg () mail ! gmail ! com
[Download RAW message or body]
Hello Kubernetes Community,
A security issue was discovered in ingress-nginx where a user that can
create or update ingress objects can use the custom snippets feature to
obtain all secrets in the cluster.
This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L>),
and assigned CVE-2021-25742.
Affected Components and Configurations
This bug affects ingress-nginx.
Multitenant environments where non-admin users have permissions to create
Ingress objects are most affected by this issue.
Affected Versions with no mitigation
-
v1.0.0
-
<= v0.49.0
Versions allowing mitigation
This issue cannot be fixed solely by upgrading ingress-nginx. It can be
mitigated in the following versions:
-
v1.0.1
-
v0.49.1
Mitigation
To mitigate this vulnerability:
1.
Upgrade to a version that allows mitigation, (>= v0.49.1 or >= v1.0.1)
2.
Set allow-snippet-annotations
<https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#allow-snippet-annotations>
to false in your ingress-nginx ConfigMap based on how you deploy
ingress-nginx:
Static Deploy Files
Edit the ConfigMap for ingress-nginx after deployment
kubectl edit configmap -n ingress-nginx ingress-nginx-controller
Add directive:
data:
allow-snippet-annotations: "false"
More information on the ConfigMap here
<https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/>
Deploying Via Helm
Set controller.allowSnippetAnnotations to false in the Values.yaml or add
the directive to the helm deploy
helm install [RELEASE_NAME] --set controller.allowSnippetAnnotations=false
ingress-nginx/ingress-nginx
https://github.com/kubernetes/ingress-nginx/blob/controller-v1.0.1/charts/ingress-nginx/values.yaml#L76
Detection
If you find evidence that this vulnerability has been exploited, please
contact security@kubernetes.io
Additional Details
See ingress-nginx Issue #7837
<https://github.com/kubernetes/ingress-nginx/issues/7837> for more details.
Acknowledgements
This vulnerability was reported by Mitch Hulscher.
Thank You,
CJ Cullen on behalf of the Kubernetes Security Response Committee
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic