DEV Community

Cover image for ๐‘ต๐’†๐’˜ ๐‘ฒ๐’–๐’ƒ๐’†๐’“๐’๐’†๐’•๐’†๐’” ๐’‰๐’Š๐’ˆ๐’‰ ๐’”๐’†๐’—๐’†๐’“๐’Š๐’•๐’š ๐’—๐’–๐’๐’๐’†๐’“๐’‚๐’ƒ๐’Š๐’๐’Š๐’•๐’š ๐’‚๐’๐’†๐’“๐’•: ๐‘ช๐‘ฝ๐‘ฌ-2021-25742 about Nginx Ingress controller custom snippets
Walter Lee for AWS Community Builders

Posted on • Edited on

๐‘ต๐’†๐’˜ ๐‘ฒ๐’–๐’ƒ๐’†๐’“๐’๐’†๐’•๐’†๐’” ๐’‰๐’Š๐’ˆ๐’‰ ๐’”๐’†๐’—๐’†๐’“๐’Š๐’•๐’š ๐’—๐’–๐’๐’๐’†๐’“๐’‚๐’ƒ๐’Š๐’๐’Š๐’•๐’š ๐’‚๐’๐’†๐’“๐’•: ๐‘ช๐‘ฝ๐‘ฌ-2021-25742 about Nginx Ingress controller custom snippets

Thanks a lot to Mitch Hulscher reported the ๐‘ต๐’†๐’˜ ๐‘ฒ๐’–๐’ƒ๐’†๐’“๐’๐’†๐’•๐’†๐’” ๐’‰๐’Š๐’ˆ๐’‰ ๐’”๐’†๐’—๐’†๐’“๐’Š๐’•๐’š ๐’—๐’–๐’๐’๐’†๐’“๐’‚๐’ƒ๐’Š๐’๐’Š๐’•๐’š ๐’‚๐’๐’†๐’“๐’•: ๐‘ช๐‘ฝ๐‘ฌ-2021-25742 ! A great write-up by Shauli Rozen #ARMO #kubescape team and added it in their kubescape scans/checks in no time !

Suggest to use kubescape to check immediately, then apply mitigation "๐‘บ๐’†๐’• ๐’‚๐’๐’๐’๐’˜-๐’”๐’๐’Š๐’‘๐’‘๐’†๐’•-๐’‚๐’๐’๐’๐’•๐’‚๐’•๐’Š๐’๐’๐’” ๐’•๐’ ๐’‡๐’‚๐’๐’”๐’† in your ingress-nginx ConfigMap" if version (>= v0.49.1 or >= v1.0.1)!

  1. great write up by Shauli Rozen #ARMO #kubescape team - https://lnkd.in/gBetcc92 - easy to check now with kubescape !

  2. CVE - https://lnkd.in/gGUN7wW9
    "CVE-2021-25742: Ingress-nginx custom snippets ๐’‚๐’๐’๐’๐’˜๐’” ๐’“๐’†๐’•๐’“๐’Š๐’†๐’—๐’‚๐’ ๐’๐’‡ ๐’Š๐’๐’ˆ๐’“๐’†๐’”๐’”-๐’๐’ˆ๐’Š๐’๐’™ ๐’”๐’†๐’“๐’—๐’Š๐’„๐’†๐’‚๐’„๐’„๐’๐’–๐’๐’• ๐’•๐’๐’Œ๐’†๐’ ๐’‚๐’๐’… ๐’”๐’†๐’„๐’“๐’†๐’•๐’” ๐’‚๐’„๐’“๐’๐’”๐’” ๐’‚๐’๐’ ๐’๐’‚๐’Ž๐’†๐’”๐’‘๐’‚๐’„๐’†๐’” #7837"

  3. Does it impact #nginx ingress OSS and Enterprise versions ? asked below - https://lnkd.in/gNUTzwzV - no answer yet but ๐‘ฐ ๐’”๐’–๐’”๐’‘๐’†๐’„๐’• ๐’€๐‘ฌ๐‘บ ? because nginx ingress docs allows snippet too at https://lnkd.in/gMBQDZVV - hope some experts can confirm soon because OSS nginx ingress is also widely used !

  4. Policy checks - thanks to #kyverno team, e.g. Jim Bugwadia has a good check rule at https://lnkd.in/gtUy-UNu ! Another good reason to use Policy in k8s to safeguard any CVEs.
    Same for #openpolicyagent if you use OPA.

  5. there are 3 diff. k8s ingress controllers - see my post at
    https://lnkd.in/gC5Pcnv8 so make sure you use the correct image names in your checks, e.g. OPA rego, Kyverno rules, e.g. see more at https://lnkd.in/gGUN7wW9

  6. do not use Snippets as said below - https://lnkd.in/gMBQDZVV
    "Security implications. Snippets give access to NGINX configuration primitives and those primitives are not validated by the Ingress Controller. For example, a snippet can configure NGINX to serve the TLS certificates and keys used for TLS termination for Ingress resources.
    "

[My original post at https://www.linkedin.com/posts/walterwlee_new-kubernetes-high-severity-vulnerability-activity-6857718713915994112-vSyN]

Top comments (0)