Source URL: https://www.theregister.com/2025/03/25/kubernetes_flaw_rce_risk/
Source: The Register
Title: Public-facing Kubernetes clusters at risk of takeover thanks to Ingress-Nginx flaw
Feedly Summary: How many K8s systems are sat on the internet front porch like that … Oh, thousands, apparently
Cloudy infosec outfit Wiz has discovered serious vulnerabilities in the admission controller component of Ingress-Nginx Controller that could allow the total takeover of Kubernetes clusters – and thinks more than 6,000 deployments of the software are at risk on the internet.…
AI Summary and Description: Yes
Summary: The text highlights significant vulnerabilities in the Ingress-Nginx Controller’s admission component, potentially impacting over 6,000 Kubernetes deployments. These flaws could lead to remote code execution and complete cluster takeover, emphasizing the need for immediate action from security professionals operating in cloud environments.
Detailed Description:
The discovered vulnerabilities in the Ingress-Nginx Controller could have severe implications for Kubernetes security, particularly because numerous deployments are exposed to external traffic. The vulnerabilities, identified by Wiz, a cloud security company, could allow attackers to execute arbitrary code, leading to total takeover of affected Kubernetes clusters.
Key points include:
– **Vulnerability Overview**: The admission controller of the Ingress-Nginx Controller has vulnerabilities that allow attackers to inject arbitrary Nginx configurations remotely, leading to potential remote code execution (RCE).
– **Interaction with Kubernetes**: Kubernetes clusters often expose external HTTP/S traffic for application access, and the ingress controllers are vital for managing traffic routes based on specified ingress rules.
– **Execution Risk**: The way the Ingress-Nginx admission controller processes incoming ingress objects is flawed, resulting in an ability to execute code via the Nginx validator, enabling attackers to take full control of the cluster.
– **Security Scope**: More than 6,500 publicly accessible installations are at risk, which could lead to the exposure of sensitive data across namespaces within the Kubernetes environment.
– **Recent Findings**: The vulnerabilities, collectively termed “IngressNightmare,” were disclosed to Kubernetes maintainers in late 2024, with fixes released on March 10.
– **Severity Ratings**: The impact of these vulnerabilities is critical, with the most severe flaw (CVE-2025-1974) rated 9.8/10 on the CVSS scale, underscoring the urgency for security patches and compliance.
**Practical Implications**:
– **Immediate Actions for Professionals**:
– Upgrade to Nginx Controller versions 1.12.1 or 1.11.5 as soon as possible.
– If immediate upgrades aren’t feasible (due to operational constraints), implement strict network policies to restrict access to the admission controller and temporarily disable it as a risk mitigation strategy.
Given the critical nature of these flaws, security professionals in cloud and infrastructure security should prioritize addressing these vulnerabilities to ensure the safety and operational integrity of their Kubernetes environments.