Three high-severity security vulnerabilities have been exposed in the NGINX Ingress controller for Kubernetes, which pose a risk of secret credential theft. The vulnerabilities include:
- CVE-2022-4886 (CVSS score: 8.8) – Bypassing path sanitization to acquire ingress-nginx controller credentials.
- CVE-2023-5043 (CVSS score: 7.6) – Enabling arbitrary command execution through ingress-nginx annotation injection.
- CVE-2023-5044 (CVSS score: 7.6) – Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.
Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, noted that these vulnerabilities could empower an attacker controlling the Ingress object configuration to pilfer secret credentials, especially referring to CVE-2023-5043 and CVE-2023-5044. Successful exploitation could lead to arbitrary code injection into the ingress controller process, resulting in unauthorized access to sensitive data.
CVE-2022-4886, stemming from a validation gap in the “spec.rules[].http.paths[].path” field, exposes a vulnerability that enables an attacker with Ingress object access to extract Kubernetes API credentials from the ingress controller.
“In the Ingress object, the operator can define which incoming HTTP path is routed to which inner path,” noted Hirschberg. “The vulnerable application does not properly validate the inner path’s integrity, potentially pointing to the internal file housing the service account token, serving as the client credential for API server authentication.”
To address the absence of fixes, software maintainers have introduced mitigations, including enabling the “strict-validate-path-type” option and setting the –enable-annotation-validation flag to enforce character validity and impose additional restrictions when creating Ingress objects.
ARMO has advised upgrading NGINX to version 1.19 and implementing the “–enable-annotation-validation” command-line configuration to rectify CVE-2023-5043 and CVE-2023-5044.
Hirschberg emphasized that these vulnerabilities all stem from a common root issue: “Ingress controllers inherently possess high-privilege scope, granting access to TLS secrets and Kubernetes API by design. Furthermore, their public internet-facing nature makes them particularly susceptible to external traffic infiltration into the cluster.”