Urgent: New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes

Urgent: New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes

October 30, 2023 at 03:18AM

Unpatched security flaws have been discovered in the NGINX Ingress controller for Kubernetes. These vulnerabilities (CVE-2022-4886, CVE-2023-5043, CVE-2023-5044) could allow threat actors to steal secret credentials, execute arbitrary commands, and inject code into the ingress controller. Mitigations have been released, but updating NGINX and enabling strict path validation is recommended. The vulnerabilities highlight the high privilege and vulnerability of ingress controllers, which often face external traffic.

Summary:
– Three high-severity security flaws have been disclosed in the NGINX Ingress controller for Kubernetes.
– The vulnerabilities are CVE-2022-4886, CVE-2023-5043, and CVE-2023-5044.
– These vulnerabilities allow threat actors to steal secret credentials from the cluster and gain unauthorized access to sensitive data.
– The maintainers of the software have released mitigations and recommend updating NGINX to version 1.19 and enabling strict path validation and annotation validation.

Additional details:
The NGINX Ingress controller for Kubernetes has three unpatched high-severity security flaws that have been disclosed. The vulnerabilities are as follows:

1. CVE-2022-4886: This vulnerability allows attackers to bypass path sanitization and obtain the credentials of the ingress-nginx controller. It has a CVSS score of 8.8.

2. CVE-2023-5043: This vulnerability is caused by Ingress-nginx annotation injection, which leads to arbitrary command execution. It has a CVSS score of 7.6.

3. CVE-2023-5044: This vulnerability enables code injection via the “nginx.ingress.kubernetes.io/permanent-redirect” annotation. It also has a CVSS score of 7.6.

These vulnerabilities allow an attacker with control over the Ingress object configuration to steal secret credentials from the cluster. The flaws can also lead to unauthorized access to sensitive data. The Kubernetes security platform ARMO’s CTO and co-founder, Ben Hirschberg, highlighted these issues.

Mitigations for the vulnerabilities have been released by the maintainers of the software. They recommend updating NGINX to version 1.19 and enabling the “strict-validate-path-type” option and “–enable-annotation-validation” flag. These steps prevent the creation of Ingress objects with invalid characters and enforce additional restrictions. Updating NGINX alongside adding the “–enable-annotation-validation” command-line configuration resolves CVE-2023-5043 and CVE-2023-5044.

Hirschberg mentioned that all these vulnerabilities point to the same underlying problem. Ingress controllers, due to their design, have access to TLS secrets and the Kubernetes API, making them workloads with high privilege scope. Being often public internet-facing components, they are highly vulnerable to external traffic entering the cluster through them.

For more exclusive content, you can follow the source on Twitter and LinkedIn.

Full Article