Hello Kubernetes Community, A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
This issue has been rated High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H <https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H> and assigned CVE-2024-7646. Am I vulnerable? This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running `kubectl get po -A` and looking for `ingress-nginx-controller`. Multi-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue. Affected Versions ingress-nginx controller < v1.11.2 How do I mitigate this vulnerability? This issue can be mitigated by upgrading to the fixed version. Fixed Versions ingress-nginx controller v1.11.2 Detection Review your Kubernetes audit logs for Ingress objects created with annotations (e.g. `nginx.ingress.kubernetes.io/auth-tls-verify-client`) that contain carriage returns (`\r`). If you find evidence that this vulnerability has been exploited, please contact secur...@kubernetes.io Additional Details See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/126744 Acknowledgements This vulnerability was reported by André Storfjord Kristiansen @dev-bio. The issue was fixed and coordinated by the fix team: André Storfjord Kristiansen @dev-bio Jintao Zhang @tao12345666333 Marco Ebert @Gacko Thank You, Craig Ingram on behalf of the Kubernetes Security Response Committee -- Craig Ingram Security Engineer cjing...@google.com -- Craig Ingram Security Engineer cjing...@google.com
