Container Service for Kubernetes:Vulnerability CVE-2024-7646

This vulnerability is rated as high severity and its Common Vulnerability Scoring System (CVSS) score is 8.8. For more information about this vulnerability, see #126744.

Affected versions

The following versions of the NGINX Ingress controller are affected by this vulnerability:

• NGINX Ingress controller ＜ v1.11.2

• NGINX Ingress controller ＜ v1.10.4

The following versions of the NGINX Ingress controller have the fix for this issue:

• v1.11.2 and later versions

• v1.10.4 and later versions

Vulnerability impact

This vulnerability only affects clusters where the NGINX Ingress controller is installed and running. Clusters without this controller are not affected.

You can run the following command to check whether the NGINX Ingress controller is installed in the cluster:

kubectl get po -nkube-system -A| grep -E 'nginx-ingress-controller|ingress-nginx-controller'

If the NGINX Ingress controller is installed and used in the cluster, you can check the audit log of the API server to see if any annotations in the Ingress instance creation log, such as the nginx.ingress.kubernetes.io/auth-tls-verify-client annotation, contain a carriage return (\r). This may indicate suspicious attack events. For more information about the audit log of the API server, see Work with cluster auditing.

Solution

If your cluster uses the NGINX Ingress controller, we recommend that you check the release notes of the NGINX Ingress controller and upgrade to the latest version with the vulnerability fix in a timely manner. For more information, see Update the NGINX Ingress controller.