【documentation】 translate Security Vulnerability Advisory (#3248)

* fixes and improvements Signed-off-by: zhuxiujuan28 <562873187@qq.com> * update 4.1.3 Signed-off-by: zhuxiujuan28 <562873187@qq.com> * add Vulnerability Advisory Signed-off-by: zhuxiujuan28 <562873187@qq.com> * add Vulnerability Advisory Signed-off-by: zhuxiujuan28 <562873187@qq.com> * translate Vulnerability Advisory Signed-off-by: zhuxiujuan28 <562873187@qq.com> * translate Vulnerability Advisory Signed-off-by: zhuxiujuan28 <562873187@qq.com> --------- Signed-off-by: zhuxiujuan28 <562873187@qq.com>
2025-12-26 00:12:48 +00:00 · 2025-04-07 11:26:24 +08:00 · 2025-04-07 11:26:24 +08:00 · 970a028532
parent ce68cd57be
commit 970a028532
1 changed files with 336 additions and 0 deletions
--- a/content/en/docs/v4.1/21-security/02-vulnerability-advisory.adoc
+++ b/content/en/docs/v4.1/21-security/02-vulnerability-advisory.adoc
@ -0,0 +1,336 @@
+---
+title: "KubeSphere Gateway (Ingress-Nginx) Security Vulnerability Advisory"
+linkTitle: "KubeSphere Gateway Security Advisory"
+keywords: "Kubernetes, KubeSphere, security vulnerability, advisory"
+description: "KubeSphere security vulnerability advisory."
+weight: 02
+---
+
+== Vulnerability Overview
+
+**Affected Versions**
+
+- KubeSphere & KubeSphere Enterprise v3.x versions
+- KubeSphere & KubeSphere Enterprise v4.1.x versions
+
+**Severity Level**: Critical
+
+**Vulnerability Types**: Privilege Escalation, Information Disclosure, Security Bypass, Directory Traversal
+
+**Vulnerability List:**
+
+[%header,cols="1a,1a,1a,3a,1a"]
+|===
+|CVE ID |Type |CVSS Score |Description |Details
+
+|CVE-2025-1097 |Configuration Injection |8.8 (High) |Malicious configuration injection via `auth-tls-match-cn` annotation leading to arbitrary code execution and information disclosure. |link:https://github.com/kubernetes/kubernetes/issues/131007[More]
+
+|CVE-2025-24514 |Configuration Injection |8.8 (High) |Malicious configuration injection via `auth-url` annotation leading to arbitrary code execution and information disclosure. |link:https://github.com/kubernetes/kubernetes/issues/131006[More]
+
+|CVE-2025-24513 |Directory Traversal |4.8 (Medium) |File path traversal in Admission Controller leading to denial of service and information disclosure. |link:https://github.com/kubernetes/kubernetes/issues/131005[More]
+
+|CVE-2025-1974 |Remote Code Execution |9.8 (Critical) |Unauthenticated RCE vulnerability with access to the pod network leading to complete cluster compromise. |link:https://github.com/kubernetes/kubernetes/issues/131009[More]
+
+|CVE-2025-1098 |Configuration Injection |8.8 (High) |Malicious configuration injection via `mirror-target` and `mirror-host` annotations leading to arbitrary code execution and information disclosure |link:https://github.com/kubernetes/kubernetes/issues/131008[More]
+|===
+
+== Impact Analysis
+
+These vulnerabilities primarily affect systems through:
+
+. **Code Execution Risk**: CVE-2025-1097, CVE-2025-24514, CVE-2025-1098 and CVE-2025-1974 may lead to arbitrary code execution in the context of the ingress-nginx controller.
+
+. **Information Disclosure**: By default, ingress-nginx controller can access Secrets across all namespaces, potentially exposing sensitive credentials.
+
+. **Unauthorized Access**: Particularly CVE-2025-1974 allows any attacker with access to the pod network can gain cluster control without authentication (CVSS 9.8 Critical).
+
+. **Mitigation Condition**: For CVE-2025-24514, systems with the `enable-annotation-validation` argument enabled (enabled by default since ingress-nginx v1.12.0) are not vulnerable.
+
+== Am I vulnerable?
+
+Take the following steps to check if your system is affected.
+
+. Check if `ingress-nginx` have been installed.
+
+--
+[source,bash]
+----
+kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx
+----
+
+If the command returns results, it indicates you are using ingress-nginx.
+--
+
+. Check the version of the installed `ingress-nginx`.
+
+--
+[source,bash]
+----
+kubectl exec -it -n ingress-nginx deploy/ingress-nginx-controller -- /nginx-ingress-controller --version
+----
+
+**Affected Versions:**
+
+- < v1.11.0
+- v1.11.0 - v1.11.4
+- v1.12.0
+
+[.admon.attention,cols="a"]
+|===
+|Important
+
+|If using affected versions, immediately apply solutions or mitigations from this document.
+|===
+--
+
+== Solutions
+
+=== 1. Upgrade Ingress-Nginx (Recommended by nginx community)
+
+Upgrade `ingress-nginx` to these secure versions:
+
+- v1.11.5
+- v1.12.1
+- or later
+
+=== 2. Upgrade KubeSphere Gateway 
+
+For KubeSphere and KubeSphere Enterprise v4.1.3, upgrade KubeSphere Gateway to v1.0.4 (ingress-nginx controller v1.12.1).
+
+For their older versions, upgrade them to v4.1.3 first.
+
+// Upgrade Reference: https://cwiki.yunify.com/pages/viewpage.action?pageId=224896073
+
+=== 3. Temporary Mitigation Measures
+
+If immediate upgrade is not possible, the following temporary mitigation measures can be implemented.
+
+==== CVE-2025-1097 Mitigation
+
+Check and remove all `auth-tls-match-cn` annotations from Ingress resources.
+
+. Check annotations:
+
+[source,bash]
+----
+kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_TLS_MATCH_CN:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-tls-match-cn'
+----
+
+. Remove annotations:
+
+[source,bash]
+----
+kubectl annotate ingress -n <namespace-name> <Ingress-name> nginx.ingress.kubernetes.io/auth-tls-match-cn-
+----
+
+==== CVE-2025-24514 Mitigation
+
+- Check and remove all `auth-url` annotations from Ingress resources:
+
+--
+. Check annotations:
+
+[source,bash]
+----
+kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_URL:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-url'
+----
+
+. Remove annotations:
+
+[source,bash]
+----
+kubectl annotate ingress -n <namespace-name> <Ingress-name> nginx.ingress.kubernetes.io/auth-url-
+----
+--
+
+- Alternatively, enable the `enable-annotation-validation` parameter (enabled by default since v1.12.0, but needs manual configuration in earlier versions):
+
+--
+. Check if annotation validation is enabled:
+
+[source,bash]
+----
+kubectl get deployment -n ingress-nginx ingress-nginx-controller -o yaml | grep enable-annotation-validation
+----
+
+. If not enabled, edit the deployment to add the parameter `--enable-annotation-validation=true`. The ingress-nginx controller will restart automatically after saving:
+
+[source,bash]
+----
+kubectl edit deployment -n ingress-nginx ingress-nginx-controller
+----
+--
+
+==== CVE-2025-24513 and CVE-2025-1974 Mitigation
+
+KubeSphere gateway does not enable Admission Controller by default. Use the following methods to check if your gateway has Admission Controller enabled.
+
+. Check all gateway releases:
+
+[source,bash]
+----
+helm list -n A | grep kubesphere-router
+----
+
+. Check if Admission Controller is enabled in all releases:
+
+--
+[source,bash]
+----
+helm get values [RELEASE_NAME] -n [RELEASE_NAMESPACE]
+----
+If `controller.admissionWebhooks.enabled` is true, contact KubeSphere Security Team immediately for resolution.
+--
+
+. If you installed `ingress-nginx` separately and `controller.admissionWebhooks.enabled` is true, use the following methods to check and disable Admission Controller:
+
+====
+[.admon.attention,cols="a"]
+|===
+|Note
+
+|This is only a temporary mitigation measure. If you have upgraded to secure versions: v1.11.5 or v1.12.1, disabling Admission Controller is unnecessary.
+|===
+
+* If `ingress-nginx` is installed using Helm, reinstall it with admission webhook disabled:
+
+[source,bash]
+----
+helm upgrade [RELEASE_NAME] ingress-nginx/ingress-nginx \
+  --set controller.admissionWebhooks.enabled=false \
+  -n ingress-nginx
+----
+
+* If `ingress-nginx` is installed manually:
+
+--
+* Method 1: Delete `ValidatingWebhookConfiguration`:
+
+[source,bash]
+----
+kubectl delete validatingwebhookconfigurations ingress-nginx-admission
+----
+
+* Method 2: Edit Deployment or DaemonSet and remove `--validating-webhook` related lines in `spec.containers.args` section:
+
+[source,bash]
+----
+kubectl edit deployment -n ingress-nginx ingress-nginx-controller
+----
+
+[source,yaml]
+----
+        - --validating-webhook=:8443
+        - --validating-webhook-certificate=/usr/local/certificates/cert
+        - --validating-webhook-key=/usr/local/certificates/key
+----
+--
+
+[.admon.warning,cols="a"]
+|===
+|Important
+
+|Upgrading to secure versions (v1.11.5, v1.12.1 or later) is the complete solution for all vulnerabilities. Disabling Admission Controller is only a temporary measure when immediate upgrade is not possible. After upgrading, keep Admission Controller enabled to ensure normal functionality.
+|===
+====
+
+==== CVE-2025-1098 Mitigation Measures
+
+Check and remove all `mirror-target` and `mirror-host` annotations from Ingress resources.
+
+. Check annotations:
+
+[source,bash]
+----
+kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,MIRROR_TARGET:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-target,MIRROR_HOST:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-host'
+----
+
+. Remove annotations:
+
+[source,bash]
+----
+kubectl annotate ingress -n <namespace-name> <Ingress-name> nginx.ingress.kubernetes.io/mirror-target-
+kubectl annotate ingress -n <namespace-name> <Ingress-name> nginx.ingress.kubernetes.io/mirror-host-
+----
+
+== Detection Methods
+
+Use the following commands to check for potentially exploited configurations or suspicious activities:
+
+. Check for potentially malicious `auth-tls-match-cn` annotations (CVE-2025-1097):
+
+--
+[source,bash]
+----
+kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_TLS_MATCH_CN:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-tls-match-cn'
+----
+
+Inspect the results for suspicious content, paying special attention to annotation values containing special characters like `#`, `}}`, or newlines.
+--
+
+. Check for potentially malicious `auth-url` annotations (CVE-2025-24514):
+
+--
+[source,bash]
+----
+kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_URL:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-url'
+----
+
+Inspect the results for suspicious content, paying special attention to URLs containing `#`, `;` or newlines.
+--
+
+. Check if Admission Controller is enabled (related to CVE-2025-24513 and CVE-2025-1974):
+
+--
+[source,bash]
+----
+kubectl get validatingwebhookconfigurations -l app.kubernetes.io/name=ingress-nginx
+----
+
+If results are returned, it indicates Admission Controller is enabled and may be vulnerable to attacks.
+--
+
+. Check for potentially malicious `mirror-target` or `mirror-host` annotations (CVE-2025-1098):
+
+--
+[source,bash]
+----
+kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,MIRROR_TARGET:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-target,MIRROR_HOST:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-host'
+----
+
+Inspect the results for suspicious content.
+--
+
+. Check pod logs for suspicious activities:
+
+[source,bash]
+----
+kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx --tail=1000 | grep -E "error|warn|critical|suspicious|unauthorized"
+----
+
+If suspicious configurations or activities are found, immediately isolate affected resources and contact the KubeSphere Security Team for further analysis.
+
+== Best Security Practices
+
+- Implement strict gateway access controls
+- Configure gateway routing isolation policies
+- Enable TLS
+- Restrict Ingress resource access permissions
+- Enable audit log monitoring
+- Implement RBAC following the principle of least privilege
+- Regularly inspect and upgrade the ingress-nginx controller
+- Ensure Admission Controller is not externally exposed
+- Implement network policies to restrict Pod-to-Pod communication
+
+== Technical Support
+
+If evidence of vulnerability exploitation is found or technical support is needed, please contact:
+
+- KubeSphere Security Team: security@kubesphere.io
+- GitHub Issues: link:https://github.com/kubesphere/kubesphere/issues[]
+
+== References
+
+- link:https://kubernetes.github.io/ingress-nginx/deploy/upgrade/[Upgrading Ingress-Nginx]
+- link:https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities[Wiz Research: IngressNightmare Vulnerability Analysis]
+- link:https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/[Kubernetes Blog: CVE-2025-1974 Introduction]