<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[kubernetes] CVE-2021-25742: Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: CJ Cullen <cjcullen () google com>
Date: Thu, 21 Oct 2021 09:26:08 -0700
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello Kubernetes Community,
A security issue was discovered in ingress-nginx where a user that can
create or update ingress objects can use the custom snippets feature to
obtain all secrets in the cluster.
This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L>),
and assigned CVE-2021-25742.
Affected Components and Configurations
This bug affects ingress-nginx.
Multitenant environments where non-admin users have permissions to create
Ingress objects are most affected by this issue.
Affected Versions with no mitigation
-
v1.0.0
-
<= v0.49.0
Versions allowing mitigation
This issue cannot be fixed solely by upgrading ingress-nginx. It can be
mitigated in the following versions:
-
v1.0.1
-
v0.49.1
Mitigation
To mitigate this vulnerability:
1.
Upgrade to a version that allows mitigation, (>= v0.49.1 or >= v1.0.1)
2.
Set allow-snippet-annotations
<https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#allow-snippet-annotations>
to false in your ingress-nginx ConfigMap based on how you deploy
ingress-nginx:
Static Deploy Files
Edit the ConfigMap for ingress-nginx after deployment
kubectl edit configmap -n ingress-nginx ingress-nginx-controller
Add directive:
data:
allow-snippet-annotations: “false”
More information on the ConfigMap here
<https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/>
Deploying Via Helm
Set controller.allowSnippetAnnotations to false in the Values.yaml or add
the directive to the helm deploy
helm install [RELEASE_NAME] --set controller.allowSnippetAnnotations=false
ingress-nginx/ingress-nginx
https://github.com/kubernetes/ingress-nginx/blob/controller-v1.0.1/charts/ingress-nginx/values.yaml#L76
Detection
If you find evidence that this vulnerability has been exploited, please
contact security () kubernetes io
Additional Details
See ingress-nginx Issue #7837
<https://github.com/kubernetes/ingress-nginx/issues/7837> for more details.
Acknowledgements
This vulnerability was reported by Mitch Hulscher.
Thank You,
CJ Cullen on behalf of the Kubernetes Security Response Committee
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
[kubernetes] CVE-2021-25742: Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces CJ Cullen (Oct 21)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->