🛡 H3lium@infosec.exchange/:~# :blinking_cursor:<p>"🚨 <strong>NGINX Ingress Vulnerabilities Exposed!</strong> 🚨"</p><p>Three new vulnerabilities have been identified in the NGINX ingress controller for Kubernetes. These vulnerabilities, tagged as CVE-2023-5043, CVE-2023-5044, and CVE-2022-4886, could potentially allow attackers to steal secret credentials from the cluster. 🕵️♂️🔓</p><ul><li><p><strong>CVE-2023-5043 & CVE-2023-5044</strong>: These vulnerabilities can be exploited by attackers who can control the Ingress object's configuration. By using the annotation fields “configuration-snippet” or “permanent-redirect”, attackers can inject arbitrary code into the ingress controller process, gaining access to the service account token of the ingress controller. This token has a ClusterRole, enabling reading of all Kubernetes secrets in the cluster. 😱</p></li><li><p><strong>CVE-2022-4886</strong>: This vulnerability lies in the way the “path” field is used in the Ingress routing definitions. A flaw in the validation of the inner path can lead to exposure of the service account token, which is used for authentication against the API server. 🚫</p></li></ul><p>Mitigation steps include updating NGINX to version 1.19 and enabling the “--enable-annotation-validation” command line configuration. 🛡️</p><p>These vulnerabilities underscore the importance of securing ingress controllers, given their high privilege scope and potential exposure to external traffic.</p><p>Source: <a href="https://www.armosec.io/blog/cve-2023-5043-nginx-ingress/" rel="nofollow noopener noreferrer" target="_blank">ARMO Blog</a> by Ben Hirschberg, CTO & Co-founder.</p><p>Tags: <a href="https://infosec.exchange/tags/NGINX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NGINX</span></a> <a href="https://infosec.exchange/tags/Kubernetes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Kubernetes</span></a> <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vulnerability</span></a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/IngressController" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IngressController</span></a> <a href="https://infosec.exchange/tags/CVE2023" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CVE2023</span></a> <a href="https://infosec.exchange/tags/CVE2022" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CVE2022</span></a> 🌐🔐🔍</p>
Recent searches
No recent searches
Search options
Only available when logged in.
hachyderm.io is one of the many independent Mastodon servers you can use to participate in the fediverse.
Hachyderm is a safe space, LGBTQIA+ and BLM, primarily comprised of tech industry professionals world wide. Note that many non-user account types have restrictions - please see our About page.
Administered by:
Server stats:
9.7Kactive users
hachyderm.io: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.5
#IngressController
0 posts · 0 participants · 0 posts today
Volkan Özçelik<p>Contour is a high performance ingress controller for Kubernetes</p><p><a href="https://projectcontour.io/" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="">projectcontour.io/</span><span class="invisible"></span></a></p><p><a href="https://z2h.dev/tags/Kubernetes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Kubernetes</span></a> <a href="https://z2h.dev/tags/ingress" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ingress</span></a> <a href="https://z2h.dev/tags/IngressController" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IngressController</span></a> <a href="https://z2h.dev/tags/infra" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infra</span></a></p>
Denis<p>Ça fait plusieurs fois qu'on en parle ici, je déconseille l'implémentation de l'<a href="https://framapiaf.org/tags/IngressController" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IngressController</span></a> avec nginx sur le repo officiel de Kubernetes</p><p>🔽🔽🔽</p><p><a href="https://blog.zwindler.fr/2022/11/14/je-deconseille-nginx-ingresscontroller-en-production/" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.zwindler.fr/2022/11/14/je</span><span class="invisible">-deconseille-nginx-ingresscontroller-en-production/</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload