π‘΅π’†π’˜ 𝑲𝒖𝒃𝒆𝒓𝒏𝒆𝒕𝒆𝒔 π’‰π’Šπ’ˆπ’‰ π’”π’†π’—π’†π’“π’Šπ’•π’š π’—π’–π’π’π’†π’“π’‚π’ƒπ’Šπ’π’Šπ’•π’š 𝒂𝒍𝒆𝒓𝒕: π‘ͺ𝑽𝑬-2021-25742 about Nginx Ingress controller custom snippets

leewalter

Walter Lee

Posted on October 25, 2021

π‘΅π’†π’˜ 𝑲𝒖𝒃𝒆𝒓𝒏𝒆𝒕𝒆𝒔 π’‰π’Šπ’ˆπ’‰ π’”π’†π’—π’†π’“π’Šπ’•π’š π’—π’–π’π’π’†π’“π’‚π’ƒπ’Šπ’π’Šπ’•π’š 𝒂𝒍𝒆𝒓𝒕: π‘ͺ𝑽𝑬-2021-25742 about Nginx Ingress controller custom snippets

Thanks a lot to Mitch Hulscher reported the π‘΅π’†π’˜ 𝑲𝒖𝒃𝒆𝒓𝒏𝒆𝒕𝒆𝒔 π’‰π’Šπ’ˆπ’‰ π’”π’†π’—π’†π’“π’Šπ’•π’š π’—π’–π’π’π’†π’“π’‚π’ƒπ’Šπ’π’Šπ’•π’š 𝒂𝒍𝒆𝒓𝒕: π‘ͺ𝑽𝑬-2021-25742 ! A great write-up by Shauli Rozen #ARMO #kubescape team and added it in their kubescape scans/checks in no time !

Suggest to use kubescape to check immediately, then apply mitigation "𝑺𝒆𝒕 π’‚π’π’π’π’˜-π’”π’π’Šπ’‘π’‘π’†π’•-π’‚π’π’π’π’•π’‚π’•π’Šπ’π’π’” 𝒕𝒐 𝒇𝒂𝒍𝒔𝒆 in your ingress-nginx ConfigMap" if version (>= v0.49.1 or >= v1.0.1)!

  1. great write up by Shauli Rozen #ARMO #kubescape team - https://lnkd.in/gBetcc92 - easy to check now with kubescape !

  2. CVE - https://lnkd.in/gGUN7wW9
    "CVE-2021-25742: Ingress-nginx custom snippets π’‚π’π’π’π’˜π’” π’“π’†π’•π’“π’Šπ’†π’—π’‚π’ 𝒐𝒇 π’Šπ’π’ˆπ’“π’†π’”π’”-π’π’ˆπ’Šπ’π’™ π’”π’†π’“π’—π’Šπ’„π’†π’‚π’„π’„π’π’–π’π’• π’•π’π’Œπ’†π’ 𝒂𝒏𝒅 𝒔𝒆𝒄𝒓𝒆𝒕𝒔 𝒂𝒄𝒓𝒐𝒔𝒔 𝒂𝒍𝒍 π’π’‚π’Žπ’†π’”π’‘π’‚π’„π’†π’” #7837"

  3. Does it impact #nginx ingress OSS and Enterprise versions ? asked below - https://lnkd.in/gNUTzwzV - no answer yet but 𝑰 𝒔𝒖𝒔𝒑𝒆𝒄𝒕 𝒀𝑬𝑺 ? because nginx ingress docs allows snippet too at https://lnkd.in/gMBQDZVV - hope some experts can confirm soon because OSS nginx ingress is also widely used !

  4. Policy checks - thanks to #kyverno team, e.g. Jim Bugwadia has a good check rule at https://lnkd.in/gtUy-UNu ! Another good reason to use Policy in k8s to safeguard any CVEs.
    Same for #openpolicyagent if you use OPA.

  5. there are 3 diff. k8s ingress controllers - see my post at
    https://lnkd.in/gC5Pcnv8 so make sure you use the correct image names in your checks, e.g. OPA rego, Kyverno rules, e.g. see more at https://lnkd.in/gGUN7wW9

  6. do not use Snippets as said below - https://lnkd.in/gMBQDZVV
    "Security implications. Snippets give access to NGINX configuration primitives and those primitives are not validated by the Ingress Controller. For example, a snippet can configure NGINX to serve the TLS certificates and keys used for TLS termination for Ingress resources.
    "

[My original post at https://www.linkedin.com/posts/walterwlee_new-kubernetes-high-severity-vulnerability-activity-6857718713915994112-vSyN]

πŸ’– πŸ’ͺ πŸ™… 🚩
leewalter
Walter Lee

Posted on October 25, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related