CVSS Rating: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (Score: 9.8, Critical)

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Am I vulnerable?

This issue affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running `kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx`.

Affected Versions

• < v1.11.0
• v1.11.0 - 1.11.4
• v1.12.0

How do I mitigate this vulnerability?

ACTION REQUIRED: The following steps must be taken to mitigate this vulnerability: Upgrade ingress-nginx to v1.11.5, v1.12.1, or any later version.

Before applying the patch, this issue can be mitigated by disabling the Validating Admission Controller functionality of ingress-nginx.

Fixed Versions

• ingress-nginx main@0ccf4ca

To upgrade, refer to the documentation: Upgrading Ingress-nginx

Detection

There are no known indicators of compromise that prove this vulnerability has been exploited.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Acknowledgements

This vulnerability was reported by Nir Ohfeld, Ronen Shustin, Sagi Tzadik, and Hillai Ben Sasson from Wiz

The issue was fixed and coordinated by Marco Ebert, James Strong, Tabitha Sable, and the Kubernetes Security Response Committee