Thanks a lot to Mitch Hulscher reported the ๐ต๐๐ ๐ฒ๐๐๐๐๐๐๐๐๐ ๐๐๐๐ ๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐: ๐ช๐ฝ๐ฌ-2021-25742 ! A great write-up by Shauli Rozen #ARMO #kubescape team and added it in their kubescape scans/checks in no time !
Suggest to use kubescape to check immediately, then apply mitigation "๐บ๐๐ ๐๐๐๐๐-๐๐๐๐๐๐๐-๐๐๐๐๐๐๐๐๐๐๐ ๐๐ ๐๐๐๐๐ in your ingress-nginx ConfigMap" if version (>= v0.49.1 or >= v1.0.1)!
great write up by Shauli Rozen #ARMO #kubescape team - https://lnkd.in/gBetcc92 - easy to check now with kubescape !
CVE - https://lnkd.in/gGUN7wW9
"CVE-2021-25742: Ingress-nginx custom snippets ๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐๐ ๐๐ ๐๐๐๐๐๐๐-๐๐๐๐๐ ๐๐๐๐๐๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐ ๐๐๐ ๐๐๐๐๐๐๐ ๐๐๐๐๐๐ ๐๐๐ ๐๐๐๐๐๐๐๐๐๐ #7837"Does it impact #nginx ingress OSS and Enterprise versions ? asked below - https://lnkd.in/gNUTzwzV - no answer yet but ๐ฐ ๐๐๐๐๐๐๐ ๐๐ฌ๐บ ? because nginx ingress docs allows snippet too at https://lnkd.in/gMBQDZVV - hope some experts can confirm soon because OSS nginx ingress is also widely used !
Policy checks - thanks to #kyverno team, e.g. Jim Bugwadia has a good check rule at https://lnkd.in/gtUy-UNu ! Another good reason to use Policy in k8s to safeguard any CVEs.
Same for #openpolicyagent if you use OPA.there are 3 diff. k8s ingress controllers - see my post at
https://lnkd.in/gC5Pcnv8 so make sure you use the correct image names in your checks, e.g. OPA rego, Kyverno rules, e.g. see more at https://lnkd.in/gGUN7wW9do not use Snippets as said below - https://lnkd.in/gMBQDZVV
"Security implications. Snippets give access to NGINX configuration primitives and those primitives are not validated by the Ingress Controller. For example, a snippet can configure NGINX to serve the TLS certificates and keys used for TLS termination for Ingress resources.
"
[My original post at https://www.linkedin.com/posts/walterwlee_new-kubernetes-high-severity-vulnerability-activity-6857718713915994112-vSyN]
Top comments (0)