CVE-2024-7646: A Threat to Kubernetes Clusters Running ingress-nginx
A newly discovered security vulnerability, CVE-2024-7646, has been identified in the widely used ingress-nginx controller for Kubernetes, posing a severe threat to multi-tenant environments. With a CVSS score of 8.8, this flaw allows actors with permission to create Ingress objects to bypass annotation validation, potentially injecting arbitrary commands and gaining unauthorized access to sensitive cluster credentials.
Ingress-nginx, a popular Kubernetes controller that manages external access to services within a cluster, has been found vulnerable to a critical bypass. The vulnerability specifically targets the annotation validation process within ingress-nginx. If exploited, it enables an attacker to inject malicious commands by creating specially crafted Ingress objects.
In the default configuration, this exploit could allow attackers to obtain the credentials of the ingress-nginx controller itself. These credentials typically grant access to all secrets within the Kubernetes cluster, thereby exposing sensitive data and potentially compromising the entire cluster’s security.
The CVE-2024-7646 vulnerability predominantly affects multi-tenant environments where non-admin users have the ability to create Ingress objects. In such scenarios, the risk is significantly heightened, as a malicious actor could easily exploit the flaw to escalate privileges and infiltrate critical parts of the Kubernetes infrastructure.
This vulnerability was responsibly reported by André Storfjord Kristiansen (@dev-bio).
To determine if your system is vulnerable, you should check for the presence of ingress-nginx on your cluster by executing the following command:
If ingress-nginx is installed and is running a version prior to v1.11.2, your environment is at risk.
The most effective way to mitigate this vulnerability is by upgrading to the fixed version, ingress-nginx controller v1.11.2. This version addresses the flaw by ensuring robust annotation validation, thereby preventing the injection of arbitrary commands.
Administrators are strongly advised to review their Kubernetes audit logs for any suspicious Ingress objects. Pay particular attention to annotations that include carriage returns (\r
), as these could be indicative of an attempted exploitation.