π΅ππ π²πππππππππ ππππ ππππππππ πππππππππππππ πππππ: πͺπ½π¬-2021-25742 about Nginx Ingress controller custom snippets
Walter Lee
Posted on October 25, 2021
Thanks a lot to Mitch Hulscher reported the π΅ππ π²πππππππππ ππππ ππππππππ πππππππππππππ πππππ: πͺπ½π¬-2021-25742 ! A great write-up by Shauli Rozen #ARMO #kubescape team and added it in their kubescape scans/checks in no time !
Suggest to use kubescape to check immediately, then apply mitigation "πΊππ πππππ-πππππππ-πππππππππππ ππ πππππ in your ingress-nginx ConfigMap" if version (>= v0.49.1 or >= v1.0.1)!
great write up by Shauli Rozen #ARMO #kubescape team - https://lnkd.in/gBetcc92 - easy to check now with kubescape !
CVE - https://lnkd.in/gGUN7wW9
"CVE-2021-25742: Ingress-nginx custom snippets ππππππ πππππππππ ππ πππππππ-πππππ ππππππππππππππ πππππ πππ πππππππ ππππππ πππ ππππππππππ #7837"Does it impact #nginx ingress OSS and Enterprise versions ? asked below - https://lnkd.in/gNUTzwzV - no answer yet but π° πππππππ ππ¬πΊ ? because nginx ingress docs allows snippet too at https://lnkd.in/gMBQDZVV - hope some experts can confirm soon because OSS nginx ingress is also widely used !
Policy checks - thanks to #kyverno team, e.g. Jim Bugwadia has a good check rule at https://lnkd.in/gtUy-UNu ! Another good reason to use Policy in k8s to safeguard any CVEs.
Same for #openpolicyagent if you use OPA.there are 3 diff. k8s ingress controllers - see my post at
https://lnkd.in/gC5Pcnv8 so make sure you use the correct image names in your checks, e.g. OPA rego, Kyverno rules, e.g. see more at https://lnkd.in/gGUN7wW9do not use Snippets as said below - https://lnkd.in/gMBQDZVV
"Security implications. Snippets give access to NGINX configuration primitives and those primitives are not validated by the Ingress Controller. For example, a snippet can configure NGINX to serve the TLS certificates and keys used for TLS termination for Ingress resources.
"
[My original post at https://www.linkedin.com/posts/walterwlee_new-kubernetes-high-severity-vulnerability-activity-6857718713915994112-vSyN]
Posted on October 25, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.