NGINX ingress Security Flaw-Attackers Kubernetes API server

Three vulnerabilities have been discovered in NGINX ingress controllers, which were associated with arbitrary command execution, code injection, and sanitization bypass. The severity of these vulnerabilities ranges between 7.6 (High) and 10.0 (Critical).

NGINX Ingress Controller can be used to manage the routing mechanism using the widely known NGINX reverse proxy server. However, Kubernetes is an API object that provides HTTP and HTTPS routing to services depending on a set of rules, including hostnames or URL paths.

This vulnerability exists in the nginx.ingress.kubernetes.io/configuration-snippet annotation on an Ingress object, which can be used to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. The default ingress-nginx controller has access to all secrets in the Kubernetes cluster.

However, this vulnerability does not affect if there are no ingress-nginx installations on the cluster. To check this vulnerability, kubectl get po -n ingress-nginx command can be used.

This vulnerability also exists in the nginx.ingress.kubernetes.io/configuration-snippet annotation on an Ingress object, which can be used to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. The above command can be used to check if the affected cluster is vulnerable. The severity of this vulnerability has been given as 7.6 (High).

The reason the above two vulnerabilities exist is due to the fact that there are multiple scenarios such as Multi-tenant clusters, Malicious configurations from untrusted sources, Using configurations from the web or ChatGPT, or Insider who has change rights to configurations, but no access to the cluster.

CVE-2022-4886: Ingress-nginx Path Sanitization

A threat actor with user privilege can create or update ingress objects and use directives to bypass the sanitization of the spec.rules[].http.paths[].path field of an Ingress object in order to obtain the credentials of the ingress-nginx controller.

However, as per the default configuration, this credential has access to all secrets in the cluster. The severity of this vulnerability has been given as 6.7 (Medium).

A complete report about these vulnerabilities has been published by Armosec, which provides detailed information about the vulnerabilities that NGINX disclosed on GitHub.

Affected Products

According to the reports shared with Cyber Security News, the affected products are versions earlier than v1.9.0. Moreover, NGINX has released patches for fixing this vulnerability in their latest version, v1.9.0. 

To mitigate this vulnerability, users are recommended to set the –enable-annotation-validation flag, which enforces restrictions on the contents of ingress-nginx annotation fields.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.