this post was submitted on 25 Mar 2025
20 points (100.0% liked)

Cybersecurity

6832 readers
19 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 2 years ago
MODERATORS
[email protected]
[email protected]
20
Public-facing Kubernetes clusters at risk of total takeover (go.theregister.com)
submitted 3 days ago by [email protected] to c/[email protected]
7 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 3 days ago

The good news is that Wiz disclosed this mess to the developers overseeing Kubernetes in December 2024 and January 2025, and that fixes for five CVEs – collectively dubbed IngressNightmare by Wiz – were issued on March 10, with the details under embargo until now.

Nginx Controller version 1.12.1 and 1.11.5 fix the flaws – and they are available to download at this link.

Quick reference to find out what version ingress-nginx you're running:

$ kubectl exec -it -n NAMESPACE INGRESS_NGINX_CONTROLLER_POD -- /nginx-ingress-controller --version
-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.11.2
  Build:         46e76e5916813cfca2a9b0bfdc34b69a0000f6b9
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.25.5

-------------------------------------------------------------------------------

🙁