AKS icon indicating copy to clipboard operation
AKS copied to clipboard
verified publisher icon Azure

Security Vulnerabilities in Kubernetes NGINX Ingress Controller

Open riyac12 opened this issue 9 months ago • 6 comments

Several security vulnerabilities affecting the Kubernetes nginx ingress controller were disclosed on March 24, 2025: CVE-2025-1098 (High), CVE-2025-1974 (Critical), CVE-2025-1097 (High), CVE-2025-24514 (High), and CVE-2025-24513 (Medium).

Am I vulnerable?

The CVEs impact ingress-nginx. (If you do not have ingress-nginx installed on your cluster, you are not affected.)

  • You can check for ingress-nginx by running kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx.

Affected Version

  • < v1.11.0
  • v1.11.0 - 1.11.4
  • v1.12.0

Action Required

  • If you are using the Managed NGINX ingress with the application routing add-on on AKS, the patches are getting rolled out to all regions and should be completed in a few days. No action is required.

  • If you are running your own Kubernetes NGINX Ingress Controller, please review the CVEs and mitigate by updating to the latest patch versions (v1.11.5 and v1.12.1).

For additional details, please review Security Update

riyac12 avatar Mar 25 '25 18:03 riyac12

Fixed in the application routing add-on with https://github.com/Azure/aks-app-routing-operator/pull/403 and https://github.com/Azure/aks-app-routing-operator/pull/404.

sabbour avatar Mar 25 '25 18:03 sabbour

is it possible to query these vulnerabilities through defender for containers? Does it need acr integration or defender surfaces vulnerabilities for runtime images?

asifkd012020 avatar Mar 25 '25 21:03 asifkd012020

I was reviewing the latest AKS release and didn't find these CVEs mentioned: March 24, 2025: CVE-2025-1098 (High), CVE-2025-1974 (Critical), CVE-2025-1097 (High), CVE-2025-24514 (High), and CVE-2025-24513 (Medium).

https://github.com/Azure/AKS/releases/tag/2025-03-16

Could you please confirm if this release actually covers these CVEs for managed nginx in AKS? Or what is the ETA for this release that will cover this?

fjblsouza avatar Mar 26 '25 15:03 fjblsouza

The fix is being hotfixed in both v20250316 and v20250220 release and should be rolled out in all regions in the next 5 days

riyac12 avatar Mar 26 '25 20:03 riyac12

@riyac there is no way to force-update this, e.g. az cli command?

GerardoGR avatar Mar 26 '25 20:03 GerardoGR

I can confirm that my nginx deployment (in UK South) was updated yesterday to use nginx-ingress-controller:v1.11.5

TheGrussalo avatar Mar 27 '25 12:03 TheGrussalo

These CVEs have been fixed and rolled out to all regions. If you have a maintenance window which could delay the fix, please upgrade nginx-ingress-controller manually.

Winbobob avatar Apr 03 '25 17:04 Winbobob

Thanks for reaching out. I'm closing this issue as it was marked with "resolution/fix-released" and it hasn't had activity for 7 days.

microsoft-github-policy-service[bot] avatar Jun 06 '25 01:06 microsoft-github-policy-service[bot]