In a recently developed project by Kubernetes Ingress Controller, a security report from Ingress-Nginx unveiled four critical vulnerabilities, as reported by Wiz.io. These vulnerabilities could potentially allow attackers to execute their code on cloud system servers utilizing the Kubernetes platform, granting complete privileged access to the Kubernetes cluster. Rated with a high level of severity (9.8 out of 10), these vulnerabilities, dubbed IngressnightMare vulnerabilities, impact approximately 43% of cloud environments. The issues have been addressed and fixed in the latest versions of Ingress-Nginx 11.5 and 1.12.1.
Ingress-controller serves as a gateway in Kubernetes, facilitating external network access to services within the cluster. The popular Ingress-Nginx controller leverages the Nginx server for routing external requests and load balancing. It is worth noting that the Ingress-Nginx project is separate from kubernetes-ingress, which is maintained by F5/Nginx and not affected by the identified vulnerabilities. The mention of Nginx in Ingress-Nginx simply refers to the Nginx proxy usage.
The vulnerabilities discovered in Ingress-Nginx allow unauthorized attackers to execute code within the controller’s context by sending a request to the Admission Web-Process. Over 6,500 vulnerable Kubernetes clusters have been detected through network scans, utilizing publicly available vulnerable controllers with open external requests for admission.
In a default configuration, launching an Ingress setup code by the attacking code can result in compromising Kubernetes servers and achieving privileged access to the entire cluster. As a temporary workaround, it is recommended to disable the Validating Admission Controller function within Ingress-Nginx.
For more information on controller admission in Kubernetes, visit the official documentation.