Skip Navigation

Cybersecurity @sh.itjust.works

PhilipTheBucket @ponder.cat

3d ago

Public-facing Kubernetes clusters at risk of total takeover

go.theregister.com /feed/www.theregister.com/2025/03/25/kubernetes_flaw_rce_risk/

7 comments

[...] a specially-crafted Ingress object can cause nginx to misbehave in various ways, including revealing the values of Secrets that are accessible to ingress-nginx. By default, ingress-nginx has access to all Secrets cluster-wide, [...]
Holy crap, what if I'm gonna be home for a couple of days?
- Yeah, whatever you were planning on doing, you're doing this instead.

The good news is that Wiz disclosed this mess to the developers overseeing Kubernetes in December 2024 and January 2025, and that fixes for five CVEs – collectively dubbed IngressNightmare by Wiz – were issued on March 10, with the details under embargo until now.
Nginx Controller version 1.12.1 and 1.11.5 fix the flaws – and they are available to download at this link.
Quick reference to find out what version ingress-nginx you're running:

$ kubectl exec -it -n NAMESPACE INGRESS_NGINX_CONTROLLER_POD -- /nginx-ingress-controller --version ------------------------------------------------------------------------------- NGINX Ingress controller Release: v1.11.2 Build: 46e76e5916813cfca2a9b0bfdc34b69a0000f6b9 Repository: https://github.com/kubernetes/ingress-nginx nginx version: nginx/1.25.5 -------------------------------------------------------------------------------
🙁

I've found a few exposed /metrics for kubernetes stuff because their IP poked my honeypot. I'd assume they've been hacked and turned into a botnet or something.

Use watchtower folks if you're self hosting. https://containrrr.dev/watchtower/
- That’s docker, not kubernetes.
  
  You're correct
  https://github.com/k0rventen/k8s-watchtower
  https://kubernetes.github.io/ingress-nginx/deploy/upgrade/

7 comments