back to article Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets

Three unpatched high-severity bugs in the NGINX ingress controller can be abused by miscreants to steal credentials and other secrets from Kubernetes clusters.  The vulnerabilities, tracked as CVE-2023-5043, CVE-2023-5044 and CVE-2022-4886, were disclosed on October 27, and are listed as currently awaiting triage. It's unclear …

  1. sten2012

    I would say they all point to a different issue: kubernetes being an overly customisable mishmash of various huge technologies with very little guidance on how to do it right and too much attack surface to be reliably pentested. On top of all this not much thought/protections given on how different settings and configurations interact.

    So many vulnerabilities seem to revolve around "this setting with that container runtime" or "this setting with that specific proxy choice", but nobody knows until someone manages to put in some serious research against that specific configuration.

    End rant - despite this I don't hate k8s, but it does seem a recurring theme to me.

    1. sten2012

      Oh. Sorry. Too late to edit but I guess my rant isn't over:

      Devsecops hardcore evangelists who think all security testing should be fully automated vulnscans and audit tools to sit in the pipelines - so kick off about any manual pentesting against their precious clusters despite the aforementioned issues.

      And - and - and same types being shocked and surprised that actually manual white box testing on kubernetes is actually longer and more complicated to set up and perform than the equivalent application running on a VM (where you'd check mainly the app and OS) somewhere because of all these additional abstraction layers.

      Now rant is over, I promise.

      1. Blade9983

        Yeah DevSecOps is mashing together what used to be three then two independent teams onto a single team.

        Theoretically it should be the same number of people in one team as the three previous.

        But how many companies do we actually know that don't use it as a way to save money by firing a few people?

        1. sten2012

          Even if they did, most companies lean so heavily on consultancies for pentesting specifically (seemingly contrary to other information assurance roles) that I don't see how that can ever scale in this market. The retainer doesn't seem practical in the UK at least (cant speak of US market) to really, honestly work that way. It's a nice ideal. But unlike development and operations the resources were never sufficiently staffed internally in the first place - friction and handover aren't the fundamental underlying issue here.

          That's without firing anyone, even in the best case scenarios.

          Possibly that's why the evangelists get so rabid though?

          But yes, I completely agree with you. Ignore if you weren't looking for a response.

  2. F5MegaZone

    Small correction - the article states the CVEs affect "NGINX Ingress Controller for Kubernetes". That's a product from NGINX: https://docs.nginx.com/nginx-ingress-controller/intro/overview/ - and that is not affected

    The CVEs are actually for "Ingress NGINX Controller for Kubernetes" https://kubernetes.github.io/ingress-nginx/ A very similarly named, but completely different, open source project.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like