drkt_@lemmy.dbzer0.com
on 25 Mar 04:15
nextcollapse
I’ve found a few exposed /metrics for kubernetes stuff because their IP poked my honeypot. I’d assume they’ve been hacked and turned into a botnet or something.
[…] a specially-crafted Ingress object can cause nginx to misbehave in various ways, including revealing the values of Secrets that are accessible to ingress-nginx. By default, ingress-nginx has access to all Secrets cluster-wide, […]
Holy crap, what if I’m gonna be home for a couple of days?
The good news is that Wiz disclosed this mess to the developers overseeing Kubernetes in December 2024 and January 2025, and that fixes for five CVEs – collectively dubbed IngressNightmare by Wiz – were issued on March 10, with the details under embargo until now.
Nginx Controller version 1.12.1 and 1.11.5 fix the flaws – and they are available to download at this link.
Quick reference to find out what version ingress-nginx you’re running:
threaded - newest
Use watchtower folks if you’re self hosting. containrrr.dev/watchtower/
That’s docker, not kubernetes.
You’re correct
github.com/k0rventen/k8s-watchtower
kubernetes.github.io/ingress-nginx/…/upgrade/
I’ve found a few exposed
/metrics
for kubernetes stuff because their IP poked my honeypot. I’d assume they’ve been hacked and turned into a botnet or something.Holy crap, what if I’m gonna be home for a couple of days?
Yeah, whatever you were planning on doing, you’re doing this instead.
Quick reference to find out what version ingress-nginx you’re running:
🙁