Security Bulletin
Summary
IBM Cloud Kubernetes Service is affected by Kubernetes Ingress Controller security vulnerabilities where a user that can create or update Ingress objects can use spec.rules[].http.paths[].path (CVE-2021-25745) or .metadata.annotations (CVE-2021-25746) of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller.
These vulnerabilities are relevant mainly in multi-tenant environments where non-admin users have permissions to create Ingress objects.
Vulnerability Details
CVEID: CVE-2021-25745
Description: Kubernetes ingress-nginx could allow a remote authenticated attacker to obtain sensitive information, caused by improper access control. By sending a specially-crafted request using the "spec.rules[].http.paths[].path" field of an Ingress object, an attacker could exploit this vulnerability to obtain the credentials of the ingress-nginx controller, and use this information to launch further attacks against the affected system.
CVSS Base Score: 7.6
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/225032 for more information
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L)
CVEID: CVE-2021-25746
Description: Kubernetes ingress-nginx could allow a remote authenticated attacker to obtain sensitive information, caused by improper access control. By sending a specially-crafted request using the ".metadata.annotations" in an Ingress object, an attacker could exploit this vulnerability to obtain the credentials of the ingress-nginx controller, and use this information to launch further attacks against the affected system.
CVSS Base Score: 7.6
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/225033 for more information
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L)
Affected Products and Versions
1.2.0_2131_iks.Remediation/Fixes
ALB version 1.2.0_2131_iks contains fixes for these vulnerabilities and is available immediately for early adopters. To update your ALBs before the automatic update period for this version you will need to disable automatic updates and apply the version manually. The fixed version will be automatically applied to all clusters once it has passed all GA validation and is marked as the default version for ALBs.
Action Required
Update Ingress ALBs to version 1.2.0_2131_iks or later.
- Disable autoupdates by running the
ibmcloud ks ingress alb autoupdate disablecommand. This prevents the newer version from being overwritten for your ALBs. - Update your ALBs to the new version by running the
ibmcloud ks ingress alb update --version 1.2.0_2131_ikscommand.
Monitor IBM Cloud Status for Future Security Bulletins
Monitor the security notifications on the IBM Cloud Status page to be advised of future security bulletins.
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
27 April 2022
UID
ibm16575101