A vulnerability has been discovered in Ingress-nginx , identified as CVE-2022-4886. This vulnerability allows an attacker to steal Kubernetes API credentials by controlling the Ingress object . The vulnerability arises when the ingress controller has access to all secrets in the cluster . This article provides a detailed description of the vulnerability and suggests mitigation strategies.
The vulnerability in Ingress-nginx is related to the usage of the “path” field in the Ingress routing definitions. The vulnerable application fails to properly validate the inner path , which enables it to point to the internal file containing the service account token used for authentication against the API server .
Mitigation for this vulnerability depends on the Ingress rules used by the operator . If the rule has “pathType” set to “Exact” or “Prefix” , enabling the “strict-validate-path-type” option from nginx-ingress-controller version 1.18 can help mitigate the vulnerability. For “pathType” set to “ImplementationSpecific” , a mitigation involves using an admission controller policy to filter out malicious paths . An example of such a policy can be found at https://kubernetes.github.io/ingress-nginx/examples/openpolicyagent/ .
To address this vulnerability , it is recommended to update NGINX to version 1.19 and add the “–enable-annotation-validation” command-line configuration, as this resolves related vulnerabilities. Additionally, enabling the “strict-validate-path-type” option and setting the –enable-annotation-validation flag can provide further mitigation .
This vulnerability highlights the potential risks associated with ingress controllers, which often face external traffic entering the cluster . The severity of this vulnerability is rated as 6.7 (Medium) . It is important for operators to implement the recommended mitigations to protect against potential attacks. Armosec has published a comprehensive report on these vulnerabilities , which provides detailed information about NGINX’s disclosure on GitHub .