New Kubernetes high severity vulnerability alert: CVE-2021-25742
Oct 22, 2021
On Oct 21st, the Kubernetes Security Response Committee issued an alert that a new high severity vulnerability was discovered in Kubernetes with respect to the ingress-nginx - CVE-2021-25742 . The issue was reported by Mitch Hulscher.
Through this vulnerability, a user who can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. The issue has been rated as High severity issue and it is recommended to assure that Kubernetes clusters with ingress-nginx enabled are not exposed to it.
According to the publication, multi-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.
The ARMO Kubescape team has added a dedicated test to check whether this vulnerability exists in a K8s cluster and is exposed to this CVE. The remediation and best practices according to the test results are also documented.
Kubescape users can simply run the Kubescape scan and get the results immediately.
Please make sure to update to the latest Kubescape version in GitHub, or through the following command:
curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
The following information on affected versions and mitigation should be taken into consideration (source: https://github.com/kubernetes/ingress-nginx/issues/7837)
Affected Versions with no mitigation
- <= v0.49.0
Versions allowing mitigation
This issue cannot be fixed solely by upgrading ingress-nginx. It can be mitigated in the following versions:
To mitigate this vulnerability:
- Upgrade to a version that allows mitigation, (>= v0.49.1 or >= v1.0.1)
- Set allow-snippet-annotations to false in your ingress-nginx ConfigMap based on how you deploy ingress-nginx:
Static Deploy Files
Edit the ConfigMap for ingress-nginx after deployment:
kubectl edit configmap -n ingress-nginx ingress-nginx-controller
More information on the ConfigMap here
Deploying Via Helm
Set controller.allowSnippetAnnotations to false in theValues.yaml or add the directive to the helm deploy:
helm install [RELEASE_NAME] --set controller.allowSnippetAnnotations=false ingress-nginx/ingress-nginx
If you find evidence that this vulnerability has been exploited, please contact email@example.com
Seeingress-nginx Issue #7837 for more details.