A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.
This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2021-25742.
Affected Components and ConfigurationsThis bug affects ingress-nginx.
Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.
Affected Versions with no mitigationThis issue cannot be fixed solely by upgrading ingress-nginx. It can be mitigated in the following versions:
To mitigate this vulnerability:
Upgrade to a version that allows mitigation, (>= v0.49.1 or >= v1.0.1)
Set allow-snippet-annotations to false in your ingress-nginx ConfigMap based on how you deploy ingress-nginx:
Static Deploy Files
Edit the ConfigMap for ingress-nginx after deployment:
kubectl edit configmap -n ingress-nginx ingress-nginx-controller
Add directive:
data:
allow-snippet-annotations: “false”
More information on the ConfigMap here
Deploying Via Helm
Set controller.allowSnippetAnnotations to false in the Values.yaml or add the directive to the helm deploy:
helm install [RELEASE_NAME] --set controller.allowSnippetAnnotations=false ingress-nginx/ingress-nginx
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Additional Details
See ingress-nginx Issue #126811 for more details.
This vulnerability was reported by Mitch Hulscher.
Thank You,
CJ Cullen on behalf of the Kubernetes Security Response Committee
mhulscher, 0xdnL, PatrickHuetter, minhthong582000, Joseph-omojowo and 10 more0xInfection, dkutetsky, xiaods, nhalstead, tao12345666333 and 21 morepashcovich, Dentrax, GeekMasher, chegelawrence, Mixelito and 5 more
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4