CVE-2022-4886, CVE-2023-5043, and CVE-2023-5044
This document (000021265) is provided subject to the disclaimer at the end of this document.
Environment
As of writing this KB article, three CVEs were made public on October 25th, 2023, in Nginx ingress: CVE-2022-4886, CVE-2023-5043, and CVE-2023-5044. Here at SUSE Rancher, we are deeply committed to safeguarding the security of our products and endeavor to resolve security issues in a timely manner.
Please note that if you do not run a multi-tenant environment(s) and do not allow non-privileged users to create/edit Ingress objects, then you are likely to be safe (unless other unknown attack vectors exist outside those mentioned in the public upstream advisories).
Resolution
Mentioned in the upstream Kubernetes GitHub issues, to address CVE-2023-5043 and CVE-2023-5044:
These CVEs affect versions v1.9.0 and lower
- Ingress Administrators should set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields.
In regards to CVE-2022-4886:
This CVE affects versions v1.8.0 and lower
- Ingress objects contain a field called pathType that defines the proxy behavior. It can be Exact, Prefix, and ImplementationSpecific.
- When pathType is configured as Exact or Prefix, there is more strict validation, allowing only paths starting with "/" and containing only alphanumeric characters and "-", "_" and additional "/".
- When this option is enabled, the validation happens in the Admission Webhook, denying creation of any Ingress containing invalid characters (unless pathType is ImplementationSpecific).
- https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type
- Ingress Admins should enable this validation by default. If you still need to allow implementation specific paths due to the usage of features like Regex/rewrite on path, we recommend implementing countermeasures to allow just trusted users to consume this feature, as an example with OPA: https://kubernetes.github.io/ingress-nginx/examples/openpolicyagent/
For RKE2 users, images have been released to address CVE-2023-5043 and CVE-2023-5044 and can be found in the following versions:
- >= v1.25.15+rke2r1
- >= v1.26.10+rke2r1
- >= v1.27.7+rke2r1
- >= v1.28.3+rke2r1
For RKE users, images have been released to address CVE-2023-5043 and CVE-2023-5044 with the updated nginx-ingress 1.9.4 patch** in versions:
- >=v1.5.1 -
v1.27.8-rancher2-1(Default)v1.26.11-rancher2-1v1.25.16-rancher2-1 - >=v1.4.12 -
v1.26.11-rancher2-1(Default)v1.25.16-rancher2-1
** Even with the new patched version, you will still need to add the "--enable-annotation-validation" flag manually.
** If you are using RKE version 1.4.12 and Kubernetes 1.23 or 1.24, please note that the patched nginx-ingress version will NOT apply to you as upstream mentions support starting at Kubernetes version 1.25+. Please review this table for more information:
- https://github.com/kubernetes/ingress-nginx#supported-versions-table
Additional Information
For more information about our security policy and posted advisories, please check out our security section in the rancher/rancher GitHub repo:
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021265
- Creation Date: 03-Nov-2023
- Modified Date:22-Dec-2023
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
