Summary
A security issue was discovered in ingress-nginx where the rules.http.paths.path Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. In the default installation, the controller can access all Secrets cluster-wide.
Impact
An authenticated attacker with permission to create or modify Ingress resources can craft a malicious value in the rules.http.paths.path field to inject arbitrary nginx directives into the controller configuration. Successful exploitation results in arbitrary code execution within the ingress-nginx controller process and potential disclosure of all Kubernetes Secrets accessible to the controller, which in the default installation includes all Secrets across every namespace.
Detection
Suspicious data within the rules.http.paths.path field of an Ingress resource could indicate an attempt to exploit this vulnerability. Audit Ingress resource definitions across all namespaces for unexpected or obfuscated path values. If you find evidence that this vulnerability has been exploited, contact security@kubernetes.io.
To confirm whether ingress-nginx is installed in your cluster, run:
kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx
Mitigation
Upgrade ingress-nginx to v1.13.7, v1.14.3, or any later version. Follow the Upgrading Ingress-nginx documentation for upgrade procedures.
Prior to upgrading, this vulnerability can be mitigated by using a validating admission controller to reject Ingress resources with the ImplementationSpecific path type.