CVE-2022-47633: Kyverno’s container image signature verification can be bypassed by a malicious registry or proxy
Security researchers at ARMO have found a high-severity vulnerability in the Kyverno admission controller container...
Oct 22, 2021
On Oct 21st, the Kubernetes Security Response Committee issued an alert that a new high severity vulnerability was discovered in Kubernetes with respect to the ingress-nginx – CVE-2021-25742 . The issue was reported by Mitch Hulscher.
Through this vulnerability, a user who can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. The issue has been rated as High severity issue and it is recommended to assure that Kubernetes clusters with ingress-nginx enabled are not exposed to it.
According to the publication, multi-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.
The ARMO Kubescape team has added a dedicated test to check whether this vulnerability exists in a K8s cluster and is exposed to this CVE. The remediation and best practices according to the test results are also documented.
Kubescape users can simply run the Kubescape scan and get the results immediately.
Please make sure to update to the latest Kubescape version in GitHub, or through the following command:
curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
The following information on affected versions and mitigation should be taken into consideration (source: https://github.com/kubernetes/ingress-nginx/issues/7837)
This issue cannot be fixed solely by upgrading ingress-nginx. It can be mitigated in the following versions:
To mitigate this vulnerability:
Static Deploy Files
Edit the ConfigMap for ingress-nginx after deployment:
kubectl edit configmap -n ingress-nginx ingress-nginx-controller
Add directive:
data:
allow-snippet-annotations:“false”
More information on the ConfigMap here
Deploying Via Helm
Set controller.allowSnippetAnnotations to false in theValues.yaml or add the directive to the helm deploy:
helm install [RELEASE_NAME] –set controller.allowSnippetAnnotations=false ingress-nginx/ingress-nginx
If you find evidence that this vulnerability has been exploited, please contact [email protected]
Additional details
Seeingress-nginx Issue #7837 for more details.
Security researchers at ARMO have found a high-severity vulnerability in the Kyverno admission controller container...
All the main K8s vulnerabilities from 2022 consolidated into one article. Read all about it...
Grafana Labs published a security advisory for a new critical vulnerability in its open-source product....