New Kubernetes high severity vulnerability alert: CVE-2021-25742

Oct 22, 2021

On Oct 21st, the Kubernetes Security Response Committee issued an alert that a new high severity vulnerability was discovered in Kubernetes with respect to the ingress-nginx - CVE-2021-25742 . The issue was reported by Mitch Hulscher.

Through this vulnerability, a user who can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. The issue has been rated as High severity issue and it is recommended to assure that Kubernetes clusters with ingress-nginx enabled are not exposed to it.

According to the publication, multi-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.

The ARMO Kubescape team has added a dedicated test to check whether this vulnerability exists in a K8s cluster and is exposed to this CVE. The remediation and best practices according to the test results are also documented.

Kubescape users can simply run the Kubescape scan and get the results immediately.

Please make sure to update to the latest Kubescape version in GitHub, or through the following command:

curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash

Kubescape scan output: CVE-2021-25742 highlighted

Recommended Mitigation

The following information on affected versions and mitigation should be taken into consideration (source: https://github.com/kubernetes/ingress-nginx/issues/7837)

Affected Versions with no mitigation

  • v1.0.0
  • <= v0.49.0

Versions allowing mitigation

This issue cannot be fixed solely by upgrading ingress-nginx. It can be mitigated in the following versions:

  • v1.0.1
  • v0.49.1

Mitigation

To mitigate this vulnerability:

  1. Upgrade to a version that allows mitigation, (>= v0.49.1 or >= v1.0.1)
  2. Set allow-snippet-annotations to false in your ingress-nginx ConfigMap based on how you deploy ingress-nginx:

            Static Deploy Files 

              Edit the ConfigMap for ingress-nginx after deployment:

                kubectl edit configmap -n ingress-nginx ingress-nginx-controller

                 Add directive:

                 data:

                     allow-snippet-annotations:“false”

                More information on the ConfigMap here 

                    Deploying Via Helm

                 Set controller.allowSnippetAnnotations to false in theValues.yaml or add the directive to the helm deploy:

                 helm install [RELEASE_NAME] --set controller.allowSnippetAnnotations=false ingress-nginx/ingress-nginx

https://github.com/kubernetes/ingress-nginx/blob/controller-v1.0.1/charts/ingress-nginx/values.yaml#L76

Detection

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Additional details

Seeingress-nginx Issue #7837 for more details.

Stay up to date