CVE-2023-5044: Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation #126817
Comments
|
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-triage
cjcullen
changed the title
|
@cjcullen did you mean version 1.19, not 1.9, right? |
|
@ealasgarov I think I'm assuming that since https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.9.0 |
|
Is this only affecting deployments where the |
|
I'd like to set |
|
@stromvirvel each annotation has a risk weight/grade - the annotation validation flag alone won't be of much use, since the default threshold is As for figuring out the threshold, you'll need to go through the codebase, afaik there's no documentation for each of these - best I could find was this test file: kubernetes/ingress-nginx@c5f348e#diff-1cf51e128ca991f6d8ea012512e57cf68e224e64ff68e2401d9a598e4da98837R70-R74 There you can see |
it is in the values.yaml. |
|
If anyone is not sure on how to enable that annotation or where this annotation will be set, check info mentioned below. This annotation is set as arg in the container level of the nginx |
@cilindrox you are right! I have plans to automate the documentation generation for this annotations (risk, description and eventually the validation) but didn't had the opportunity to do it yet (tho I've left the majority of code ready for it). Sorry for that, we had to rush on implementation and missed this |
|
/assign @cpanato @rikatz @strongjz @tao12345666333 |
|
Hey folks, As this CVE has been opened for 1 week now, I'm closing the issue. The description of the issue contains all the required mitigations, and we plan in future releases to turn the validation on by default and also implement more safety measures. Thank you all for using the project, and for your continuous support for us. /close |
|
@rikatz: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This commit adds the flags and config options recommended by the community in: https://github.com/kubernetes/ingress-nginx/issues/10570 https://github.com/kubernetes/ingress-nginx/issues/10572 CVE-2023-5044 is mitigated with enableAnnotationValidations CVE-2022-4886 is mitigated with strict-validate-path-type Test cases: PASS: Full build, system install, bootstrap and unlock. PASS: system application-update to this new version PASS: Create Ingress resource with special character in path /apple$, Verify it's possible to curl localhost/apple$. Apply strict-validate-path-type override and verify creating the same Ingress object is not possible anymore, neither curl works. PASS: Create Ingress resource with special characters and verify that it creates successfully. annotations: nginx.ingress.kubernetes.io/permanent-redirect: | https://www.google.com$HOST Apply enableAnnotationValidations override and verify creating the same Ingress object is not possible anymore and a validation error is now returned. PASS: stx-openstack applies without error. Closes-Bug: 2042977 Change-Id: I2f2279ebb34094d0a21d4440e48ef890f09a6133 Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
|
Hello @prashanthkasamsetty @rikatz @longwuyuan
apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
data:
allow-snippet-annotations: "true"
annotations-risk-level: High
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: platform
app.kubernetes.io/component: controller
replicas: 5
revisionHistoryLimit: 10
minReadySeconds: 0
template:
spec:
containers:
- name: controller
image: registry.k8s.io-ingress-nginx-controller:v1.9.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
args:
- /nginx-ingress-controller
- **--enable-annotation-validation=true**
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-nginx-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --enable-ssl-passthrough=true
ingress:
class_name: "nginx"
enabled: true
# default: override_yaml is undefined
override_yaml:
metadata:
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header "X-B3-Sampled" "1";
spec:
rules:
- host: kiali.example.com
http:
paths:
- backend:
service:
name: kiali
port:
number: 20001
path: /
pathType: Prefix
tls:
- hosts:
- kiali.example.com
secretName: "kiali-tls"`
`/nginx-ingress-controller
-------------------------------------------------------------------------------
NGINX Ingress controller
Release: v1.9.5
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.21.6Here is the issue which use command line Status:
Conditions:
Message:
Reason:
Status: False
Type: Successful
Message: Running reconciliation
Reason: Running
Status: False
Type: Running
Ansible Result:
Changed: 5
Failures: 1
Ok: 64
Skipped: 51
Message: Failed to patch object: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"admission webhook \\"validate.nginx.ingress.kubernetes.io\\" denied the request: annotation group ConfigurationSnippet contains risky annotation based on ingress configuration","reason":"BadRequest","code":400}\n'
Reason: Failed
Status: True
Type: Failure
Deployment:
Instance Name: kiali
Namespace: istio
Environment:
Is Kubernetes: true
Kubernetes Version: 1.24.17
Operator Version: v1.77.0
Progress:
Duration: 0:00:26
Message: 5. Creating core resources
Spec Version: default
Events: <none>But when set to Critical or delete |
|
/transfer kubernetes |
k8s-ci-robot
added
the
needs-sig
|
/area security |
k8s-ci-robot
added
lifecycle/frozen
Issue Details
A security issue was identified in ingress-nginx where the nginx.ingress.kubernetes.io/permanent-redirect annotation on an Ingress object (in the
networking.k8s.ioorextensionsAPI group) can be used to inject arbitrary commands, and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2023-5044.
Affected Components and Configurations
This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running
kubectl get po -n ingress-nginx.If you are running the “chrooted” ingress-nginx controller introduced in v1.2.0 (gcr.io/k8s-staging-ingress-nginx/controller-chroot), command execution is possible but credential extraction is not, so the High severity does not apply.
Multi-tenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.
Affected Versions
Versions allowing mitigation
Mitigation
Ingress Administrators should set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields.
Detection
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Additional Details
See ingress-nginx Issue #10572 for more details.
Acknowledgements
This vulnerability was reported by Jan-Otto Kröpke (Cloudeteer GmbH)
Thank You,
CJ Cullen on behalf of the Kubernetes Security Response Committee
The text was updated successfully, but these errors were encountered: