CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Score: 8.8, High)

A security issue was discovered in ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Am I vulnerable?

This issue affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running `kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx`.

Affected Versions

• < v1.11.0
• v1.11.0 - 1.11.4
• v1.12.0

How do I mitigate this vulnerability?

ACTION REQUIRED: The following steps must be taken to mitigate this vulnerability: Upgrade ingress-nginx to v1.11.5, v1.12.1, or any later version.

Fixed Versions

• ingress-nginx main@06c992a

To upgrade, refer to the documentation: Upgrading Ingress-nginx

Detection

Suspicious data within the `auth-tls-match-cn` annotation of an Ingress resource could indicate an attempt to exploit this vulnerability.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Acknowledgements

This vulnerability was reported by Nir Ohfeld, Ronen Shustin, Sagi Tzadik and Hillai Ben Sasson from Wiz

The issue was fixed and coordinated by Marco Ebert, James Strong, Tabitha Sable, and the Kubernetes Security Response Committee