If you see 400 Bad Request, that means this pod has access to the admission controller.
How easy would it be to find an avenue to make a request to the admission controller for anything running on your k8s cluster? (maybe your service takes any kind of URL and makes a request on your server...there's infinite possibilities of exploiting this.)
I am rethinking my choice in using ingress-nginx entirely, perhaps it's time to find a simpler solution that has more secure defaults.
These seems overblown since because configuring your ingress controllers and annotating your pods is like "I copy and pasted bash | sudo" but controllers in k8s are a totally insane pattern so I guess any of them could steal/do a lot of evil, really.
It's "overblown" because of these dumb CVSS scores that get attached to vulnerabilities as if they had any meaning at all (they do not). By itself, it's just a marginally interesting semi-remote vuln, effectively a privesc within a K8s deployment.
The Helm chart has not been updated yet, but it looks like you can use the new container images by manually specifying the updated image tag in the values file:
No evidence, but the fact that the "IngressNightmare" PR piece was announced before there were even PRs created to fix this smells like the team at Wiz leaked this before it was really ready.
Whether the scores are legit or not, the fact that this was such a botched disclosure process is not a good look for the Kubernetes project, of which this is a part.
Edit: According to [1], the team at Wiz show a responsible disclosure timeline. Seems like the Kubernetes project's process didn't work so well. If Wiz is accurately reporting what happened in their blog, these fixes (or the plan for them) was available a month ago, despite seemingly not having working PRs until today, after the security announcement?
Again, I really appreciate the work of the team to ship this, but this isn't a good look for the Kubernetes project itself.
> Multiple issues have been discovered in ingress-nginx that can result in arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Beyond that, it could likely be used to sniff out client secrets from other connections as well if the attacker is sophisticated enough.
Readit News
Here's a simple test:
`kubectl exec -it` a pod:
curl -k --fail https://ingress-nginx-controller-admission.ingress-nginx.svc...
If you see 400 Bad Request, that means this pod has access to the admission controller.
How easy would it be to find an avenue to make a request to the admission controller for anything running on your k8s cluster? (maybe your service takes any kind of URL and makes a request on your server...there's infinite possibilities of exploiting this.)
I am rethinking my choice in using ingress-nginx entirely, perhaps it's time to find a simpler solution that has more secure defaults.
Whether the scores are legit or not, the fact that this was such a botched disclosure process is not a good look for the Kubernetes project, of which this is a part.
Edit: According to [1], the team at Wiz show a responsible disclosure timeline. Seems like the Kubernetes project's process didn't work so well. If Wiz is accurately reporting what happened in their blog, these fixes (or the plan for them) was available a month ago, despite seemingly not having working PRs until today, after the security announcement?
Again, I really appreciate the work of the team to ship this, but this isn't a good look for the Kubernetes project itself.
[1] https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabili...
> Multiple issues have been discovered in ingress-nginx that can result in arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Beyond that, it could likely be used to sniff out client secrets from other connections as well if the attacker is sophisticated enough.
Deleted Comment
> January 10, 2025 – Wiz Research reported a bypass for the proposed fix for CVE-2025-1097.
> January 12, 2025 – Kubernetes proposed a fix for CVE-2025-1974.
> January 16, 2025 – Wiz Research reported a bypass for the proposed fix for CVE-2025-1974.
> January 20, 2025 – Kubernetes proposed a fix for CVE-2025-24513.
> January 21, 2025 – Wiz Research reported a bypass for the proposed fix for CVE-2025-24513.
Lol, lmao even. [1]
[1]: https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabili...
1x “just run the code, CJ”
Dead Comment