Hello Kubernetes Community,
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.
This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2021-25742.
Affected Components and Configurations
This bug affects ingress-nginx.
Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.
Affected Versions with no mitigation- v1.0.0
- <= v0.49.0
Versions allowing mitigation
This issue cannot be fixed solely by upgrading ingress-nginx. It can be mitigated in the following versions:
-
v1.0.1
-
v0.49.1
Mitigation
To mitigate this vulnerability:
-
Upgrade to a version that allows mitigation, (>= v0.49.1 or >= v1.0.1)
-
Set allow-snippet-annotations to false in your ingress-nginx ConfigMap based on how you deploy ingress-nginx:
Static Deploy Files
Edit the ConfigMap for ingress-nginx after deployment
kubectl edit configmap -n ingress-nginx ingress-nginx-controller
Add directive:
data:
allow-snippet-annotations: “false”
More information on the ConfigMap here
Deploying Via Helm
Set controller.allowSnippetAnnotations to false in the Values.yaml or add the directive to the helm deploy:
helm install [RELEASE_NAME] --set controller.allowSnippetAnnotations=false ingress-nginx/ingress-nginx
Detection
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Additional Details
See ingress-nginx Issue #7837 for more details.
Acknowledgements
This vulnerability was reported by Mitch Hulscher.
Thank You,
CJ Cullen on behalf of the Kubernetes Security Response Committee