Public-facing Kubernetes clusters at risk of total takeover (go.theregister.com)
from PhilipTheBucket@ponder.cat to cybersecurity@sh.itjust.works on 25 Mar 03:50
https://ponder.cat/post/2114446

#cybersecurity

threaded - newest

mutual_ayed@sh.itjust.works on 25 Mar 04:11 next collapse

Use watchtower folks if you’re self hosting. containrrr.dev/watchtower/

nick@midwest.social on 25 Mar 09:37 collapse

That’s docker, not kubernetes.

mutual_ayed@sh.itjust.works on 25 Mar 10:40 collapse
drkt_@lemmy.dbzer0.com on 25 Mar 04:15 next collapse

I’ve found a few exposed /metrics for kubernetes stuff because their IP poked my honeypot. I’d assume they’ve been hacked and turned into a botnet or something.

Goun@lemmy.ml on 25 Mar 04:30 next collapse

[…] a specially-crafted Ingress object can cause nginx to misbehave in various ways, including revealing the values of Secrets that are accessible to ingress-nginx. By default, ingress-nginx has access to all Secrets cluster-wide, […]

Holy crap, what if I’m gonna be home for a couple of days?

intelisense@lemm.ee on 25 Mar 05:42 collapse

Yeah, whatever you were planning on doing, you’re doing this instead.

treadful@lemmy.zip on 25 Mar 06:02 collapse

The good news is that Wiz disclosed this mess to the developers overseeing Kubernetes in December 2024 and January 2025, and that fixes for five CVEs – collectively dubbed IngressNightmare by Wiz – were issued on March 10, with the details under embargo until now.

Nginx Controller version 1.12.1 and 1.11.5 fix the flaws – and they are available to download at this link.

Quick reference to find out what version ingress-nginx you’re running:

$ kubectl exec -it -n NAMESPACE INGRESS_NGINX_CONTROLLER_POD -- /nginx-ingress-controller --version
-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.11.2
  Build:         46e76e5916813cfca2a9b0bfdc34b69a0000f6b9
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.25.5

-------------------------------------------------------------------------------

🙁