diff --git a/content/en/docs/v4.1/21-security/02-vulnerability-advisory.adoc b/content/en/docs/v4.1/21-security/02-vulnerability-advisory.adoc new file mode 100644 index 000000000..d33c2df33 --- /dev/null +++ b/content/en/docs/v4.1/21-security/02-vulnerability-advisory.adoc @@ -0,0 +1,336 @@ +--- +title: "KubeSphere Gateway (Ingress-Nginx) Security Vulnerability Advisory" +linkTitle: "KubeSphere Gateway Security Advisory" +keywords: "Kubernetes, KubeSphere, security vulnerability, advisory" +description: "KubeSphere security vulnerability advisory." +weight: 02 +--- + +== Vulnerability Overview + +**Affected Versions** + +- KubeSphere & KubeSphere Enterprise v3.x versions +- KubeSphere & KubeSphere Enterprise v4.1.x versions + +**Severity Level**: Critical + +**Vulnerability Types**: Privilege Escalation, Information Disclosure, Security Bypass, Directory Traversal + +**Vulnerability List:** + +[%header,cols="1a,1a,1a,3a,1a"] +|=== +|CVE ID |Type |CVSS Score |Description |Details + +|CVE-2025-1097 |Configuration Injection |8.8 (High) |Malicious configuration injection via `auth-tls-match-cn` annotation leading to arbitrary code execution and information disclosure. |link:https://github.com/kubernetes/kubernetes/issues/131007[More] + +|CVE-2025-24514 |Configuration Injection |8.8 (High) |Malicious configuration injection via `auth-url` annotation leading to arbitrary code execution and information disclosure. |link:https://github.com/kubernetes/kubernetes/issues/131006[More] + +|CVE-2025-24513 |Directory Traversal |4.8 (Medium) |File path traversal in Admission Controller leading to denial of service and information disclosure. |link:https://github.com/kubernetes/kubernetes/issues/131005[More] + +|CVE-2025-1974 |Remote Code Execution |9.8 (Critical) |Unauthenticated RCE vulnerability with access to the pod network leading to complete cluster compromise. |link:https://github.com/kubernetes/kubernetes/issues/131009[More] + +|CVE-2025-1098 |Configuration Injection |8.8 (High) |Malicious configuration injection via `mirror-target` and `mirror-host` annotations leading to arbitrary code execution and information disclosure |link:https://github.com/kubernetes/kubernetes/issues/131008[More] +|=== + +== Impact Analysis + +These vulnerabilities primarily affect systems through: + +. **Code Execution Risk**: CVE-2025-1097, CVE-2025-24514, CVE-2025-1098 and CVE-2025-1974 may lead to arbitrary code execution in the context of the ingress-nginx controller. + +. **Information Disclosure**: By default, ingress-nginx controller can access Secrets across all namespaces, potentially exposing sensitive credentials. + +. **Unauthorized Access**: Particularly CVE-2025-1974 allows any attacker with access to the pod network can gain cluster control without authentication (CVSS 9.8 Critical). + +. **Mitigation Condition**: For CVE-2025-24514, systems with the `enable-annotation-validation` argument enabled (enabled by default since ingress-nginx v1.12.0) are not vulnerable. + +== Am I vulnerable? + +Take the following steps to check if your system is affected. + +. Check if `ingress-nginx` have been installed. ++ +-- +[source,bash] +---- +kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx +---- + +If the command returns results, it indicates you are using ingress-nginx. +-- + +. Check the version of the installed `ingress-nginx`. ++ +-- +[source,bash] +---- +kubectl exec -it -n ingress-nginx deploy/ingress-nginx-controller -- /nginx-ingress-controller --version +---- + +**Affected Versions:** + +- < v1.11.0 +- v1.11.0 - v1.11.4 +- v1.12.0 + +[.admon.attention,cols="a"] +|=== +|Important + +|If using affected versions, immediately apply solutions or mitigations from this document. +|=== +-- + +== Solutions + +=== 1. Upgrade Ingress-Nginx (Recommended by nginx community) + +Upgrade `ingress-nginx` to these secure versions: + +- v1.11.5 +- v1.12.1 +- or later + +=== 2. Upgrade KubeSphere Gateway + +For KubeSphere and KubeSphere Enterprise v4.1.3, upgrade KubeSphere Gateway to v1.0.4 (ingress-nginx controller v1.12.1). + +For their older versions, upgrade them to v4.1.3 first. + +// Upgrade Reference: https://cwiki.yunify.com/pages/viewpage.action?pageId=224896073 + +=== 3. Temporary Mitigation Measures + +If immediate upgrade is not possible, the following temporary mitigation measures can be implemented. + +==== CVE-2025-1097 Mitigation + +Check and remove all `auth-tls-match-cn` annotations from Ingress resources. + +. Check annotations: ++ +[source,bash] +---- +kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_TLS_MATCH_CN:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-tls-match-cn' +---- + +. Remove annotations: ++ +[source,bash] +---- +kubectl annotate ingress -n nginx.ingress.kubernetes.io/auth-tls-match-cn- +---- + +==== CVE-2025-24514 Mitigation + +- Check and remove all `auth-url` annotations from Ingress resources: ++ +-- +. Check annotations: ++ +[source,bash] +---- +kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_URL:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-url' +---- + +. Remove annotations: ++ +[source,bash] +---- +kubectl annotate ingress -n nginx.ingress.kubernetes.io/auth-url- +---- +-- + +- Alternatively, enable the `enable-annotation-validation` parameter (enabled by default since v1.12.0, but needs manual configuration in earlier versions): ++ +-- +. Check if annotation validation is enabled: ++ +[source,bash] +---- +kubectl get deployment -n ingress-nginx ingress-nginx-controller -o yaml | grep enable-annotation-validation +---- + +. If not enabled, edit the deployment to add the parameter `--enable-annotation-validation=true`. The ingress-nginx controller will restart automatically after saving: ++ +[source,bash] +---- +kubectl edit deployment -n ingress-nginx ingress-nginx-controller +---- +-- + +==== CVE-2025-24513 and CVE-2025-1974 Mitigation + +KubeSphere gateway does not enable Admission Controller by default. Use the following methods to check if your gateway has Admission Controller enabled. + +. Check all gateway releases: ++ +[source,bash] +---- +helm list -n A | grep kubesphere-router +---- + +. Check if Admission Controller is enabled in all releases: ++ +-- +[source,bash] +---- +helm get values [RELEASE_NAME] -n [RELEASE_NAMESPACE] +---- +If `controller.admissionWebhooks.enabled` is true, contact KubeSphere Security Team immediately for resolution. +-- + +. If you installed `ingress-nginx` separately and `controller.admissionWebhooks.enabled` is true, use the following methods to check and disable Admission Controller: ++ +==== +[.admon.attention,cols="a"] +|=== +|Note + +|This is only a temporary mitigation measure. If you have upgraded to secure versions: v1.11.5 or v1.12.1, disabling Admission Controller is unnecessary. +|=== + +* If `ingress-nginx` is installed using Helm, reinstall it with admission webhook disabled: ++ +[source,bash] +---- +helm upgrade [RELEASE_NAME] ingress-nginx/ingress-nginx \ + --set controller.admissionWebhooks.enabled=false \ + -n ingress-nginx +---- + +* If `ingress-nginx` is installed manually: ++ +-- +* Method 1: Delete `ValidatingWebhookConfiguration`: ++ +[source,bash] +---- +kubectl delete validatingwebhookconfigurations ingress-nginx-admission +---- + +* Method 2: Edit Deployment or DaemonSet and remove `--validating-webhook` related lines in `spec.containers.args` section: ++ +[source,bash] +---- +kubectl edit deployment -n ingress-nginx ingress-nginx-controller +---- ++ +[source,yaml] +---- + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key +---- +-- + +[.admon.warning,cols="a"] +|=== +|Important + +|Upgrading to secure versions (v1.11.5, v1.12.1 or later) is the complete solution for all vulnerabilities. Disabling Admission Controller is only a temporary measure when immediate upgrade is not possible. After upgrading, keep Admission Controller enabled to ensure normal functionality. +|=== +==== + +==== CVE-2025-1098 Mitigation Measures + +Check and remove all `mirror-target` and `mirror-host` annotations from Ingress resources. + +. Check annotations: ++ +[source,bash] +---- +kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,MIRROR_TARGET:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-target,MIRROR_HOST:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-host' +---- + +. Remove annotations: ++ +[source,bash] +---- +kubectl annotate ingress -n nginx.ingress.kubernetes.io/mirror-target- +kubectl annotate ingress -n nginx.ingress.kubernetes.io/mirror-host- +---- + +== Detection Methods + +Use the following commands to check for potentially exploited configurations or suspicious activities: + +. Check for potentially malicious `auth-tls-match-cn` annotations (CVE-2025-1097): ++ +-- +[source,bash] +---- +kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_TLS_MATCH_CN:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-tls-match-cn' +---- + +Inspect the results for suspicious content, paying special attention to annotation values containing special characters like `#`, `}}`, or newlines. +-- + +. Check for potentially malicious `auth-url` annotations (CVE-2025-24514): ++ +-- +[source,bash] +---- +kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_URL:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-url' +---- + +Inspect the results for suspicious content, paying special attention to URLs containing `#`, `;` or newlines. +-- + +. Check if Admission Controller is enabled (related to CVE-2025-24513 and CVE-2025-1974): ++ +-- +[source,bash] +---- +kubectl get validatingwebhookconfigurations -l app.kubernetes.io/name=ingress-nginx +---- + +If results are returned, it indicates Admission Controller is enabled and may be vulnerable to attacks. +-- + +. Check for potentially malicious `mirror-target` or `mirror-host` annotations (CVE-2025-1098): ++ +-- +[source,bash] +---- +kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,MIRROR_TARGET:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-target,MIRROR_HOST:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-host' +---- + +Inspect the results for suspicious content. +-- + +. Check pod logs for suspicious activities: ++ +[source,bash] +---- +kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx --tail=1000 | grep -E "error|warn|critical|suspicious|unauthorized" +---- + +If suspicious configurations or activities are found, immediately isolate affected resources and contact the KubeSphere Security Team for further analysis. + +== Best Security Practices + +- Implement strict gateway access controls +- Configure gateway routing isolation policies +- Enable TLS +- Restrict Ingress resource access permissions +- Enable audit log monitoring +- Implement RBAC following the principle of least privilege +- Regularly inspect and upgrade the ingress-nginx controller +- Ensure Admission Controller is not externally exposed +- Implement network policies to restrict Pod-to-Pod communication + +== Technical Support + +If evidence of vulnerability exploitation is found or technical support is needed, please contact: + +- KubeSphere Security Team: security@kubesphere.io +- GitHub Issues: link:https://github.com/kubesphere/kubesphere/issues[] + +== References + +- link:https://kubernetes.github.io/ingress-nginx/deploy/upgrade/[Upgrading Ingress-Nginx] +- link:https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities[Wiz Research: IngressNightmare Vulnerability Analysis] +- link:https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/[Kubernetes Blog: CVE-2025-1974 Introduction]