A high-severity vulnerability has been identified in the NGINX Ingress Controller, a critical component for managing external access to services in Kubernetes environments. Successful exploitation could allow an unauthenticated, remote attacker to bypass security controls, potentially leading to unauthorized access to sensitive backend applications, information disclosure, or a denial-of-service condition. Due to the component's critical role and the vulnerability's high severity rating, immediate remediation is strongly advised.

This vulnerability stems from improper input validation within the NGINX Ingress Controller when processing specific annotations in Ingress objects. An attacker with permissions to create or modify Ingress resources within a Kubernetes cluster can craft a malicious annotation value. When the controller processes this annotation to generate its NGINX configuration, the malicious value can lead to a configuration injection, allowing the attacker to insert arbitrary directives into the nginx.conf file. This could be used to bypass security rules, rewrite traffic paths to expose internal services, or exfiltrate sensitive data such as service account tokens.

This vulnerability is rated as High severity with a CVSS score of 8.3. Exploitation could have a significant business impact by undermining the security perimeter of a Kubernetes cluster. Potential consequences include the breach of sensitive customer or corporate data from backend applications, service disruption for all applications managed by the compromised Ingress Controller, and reputational damage. An attacker could potentially leverage this access to move laterally within the network, escalating the incident from a single component compromise to a broader network intrusion.

Immediate Action: Apply the security updates provided by the vendor immediately to all affected NGINX Ingress Controller instances. Prioritize patching for internet-facing controllers. After patching, it is crucial to monitor system logs for any signs of compromise that may have occurred before the update was applied.

Proactive Monitoring: Security teams should actively monitor for signs of exploitation. Review NGINX access and error logs for unusual requests, unexpected 5xx error codes, or malformed URIs. Monitor Kubernetes audit logs for recent, unexpected, or suspicious modifications to Ingress objects, particularly changes to annotations. Monitor for anomalous outbound network traffic originating from the NGINX Ingress Controller pods.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Use a Kubernetes admission controller (e.g., OPA Gatekeeper, Kyverno) to create policies that restrict or validate the values used in Ingress annotations.
• Strictly limit RBAC permissions for creating and modifying Ingress objects to only highly trusted administrators.
• Deploy a Web Application Firewall (WAF) in front of the Ingress Controller to inspect and block malicious traffic patterns.

Public Exploit Available: false

Given the high CVSS score of 8.3 and the critical function of the NGINX Ingress Controller as a network gateway, this vulnerability poses a significant risk to the organization. All teams responsible for Kubernetes infrastructure must prioritize the immediate application of vendor-supplied security updates. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity warrants urgent attention. If patching cannot be performed immediately, the compensating controls outlined above should be implemented as a temporary mitigation.