SUSE Support

Here When You Need Us

CVE-2024-7646

This document (000021545) is provided subject to the disclaimer at the end of this document.

Environment

As of writing this KB article, one CVE was made public on August 16th, in Nginx ingress: CVE-2024-7646. Here at SUSE Rancher, we are deeply committed to safeguarding the security of our products and endeavor to resolve security issues in a timely manner.
 

Please note that if you do not run a multi-tenant environment(s) and do not allow non-privileged users to create/edit Ingress objects, then you are likely to be safe (unless other unknown attack vectors exist outside those mentioned in the public upstream advisories).


Situation

Mentioned in the upstream Kubernetes GitHub issues, to address CVE-2024-7646:
A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

This issue has been rated High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and assigned CVE-2024-7646.

This CVE effects versions:

  • ingress-nginx controller v1.11.2 and lower

  • ingress-nginx controller v1.10.4 and lower

Resolution

Mitigations:

  • This issue can be mitigated by upgrading to the fixed version.


For RKE2 users, images have been released to address CVE-2024-7646 and can be found in the following versions:
For RKE users, images will be released to address CVE-2024-7646 and can be found in the following versions:
  • Rancher 2.9 - RKE v1.6.2
  • Rancher 2.8 - RKE v1.5.13
  • Rancher 2.7 - RKE v1.4.22

At the time of writing this, the official KDM Release is being targeted for mid-September, and currently aiming to go out with 2.9.2. (Please note, this could be subject to change)

K8’s version that we tested and verified:
  • v1.30.4
  • v1.29.8
  • v1.28.13
Please note that this CVE does not affect K3s users
 

Additional Information

For more information about our security policy and posted advisories, please check out our security section in the rancher/rancher GitHub repo:

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021545
  • Creation Date: 02-Sep-2024
  • Modified Date:12-Sep-2024
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community
tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ
tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center