Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets

Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets

October 30, 2023 at 04:09PM

Three high-severity bugs in the NGINX ingress controller for Kubernetes have been identified. These vulnerabilities, listed as CVE-2023-5043, CVE-2023-5044, and CVE-2022-4886, can potentially enable attackers to steal credentials and other sensitive information from Kubernetes clusters. The flaws have yet to be patched and it is unknown if they have been exploited. Security measures and configurations have been recommended to mitigate these issues.

Key takeaways from the meeting notes:

– There are three unpatched high-severity vulnerabilities in the NGINX ingress controller for Kubernetes.
– The vulnerabilities are tracked as CVE-2023-5043, CVE-2023-5044, and CVE-2022-4886.
– It is currently unknown if these vulnerabilities have been exploited.
– The first two vulnerabilities (CVE-2023-5043 and CVE-2023-5044) can allow arbitrary code injection, obtaining high-level credentials, and stealing secrets from the cluster. They affect versions 1.9.0 and earlier.
– To mitigate these issues, it is recommended to set the “–enable-annotation-validation” flag for ingress admins.
– The third vulnerability (CVE-2022-4886) can allow obtaining Kubernetes API credentials and stealing secrets. It affects versions 1.8.0 and earlier.
– Mitigation for this vulnerability depends on the configuration of the pathType field.
– All three vulnerabilities highlight the underlying problem with ingress controllers having access to high privilege scopes and being vulnerable to external traffic.

No information was provided regarding whether the bugs have been found and exploited or when a patch will be issued. The Register is awaiting a response to these questions.

Full Article