Three new vulnerabilities associated with the NGINX ingress controller have been uncovered, raising security concerns for Kubernetes. These vulnerabilities, known as CVE-2023-5043, CVE-2023-5044, and CVE-2022-4886, pose a risk as they allow attackers to steal confidential credentials from the Kubernetes cluster.
In particular, they enable attackers to access highly privileged credentials for the Kubernetes API server, which can be achieved by manipulating the configuration of the Ingress object. This is a significant concern, especially in scenarios like multi-tenant clusters where users have the rights to alter Ingress objects in their own namespaces.
Mitigating these vulnerabilities involves two key actions: updating NGINX to version 1.19 and adding the “–enable-annotation-validation” command line configuration. There isn’t a specific “fixed version” for these vulnerabilities, so adopting these measures is essential to enhance security.
These security issues underscore the inherent privilege levels of ingress controllers, emphasizing the need for diligent security measures in Kubernetes clusters, especially when facing public internet traffic, which can potentially breach the cluster through them.
ARMO’s Attack Path feature is recommended for identifying and addressing vulnerable components in Kubernetes environments that may require immediate action.
