Mitigate CVE-2022-4886, CVE-2023-5043 and CVE-2023-5044 for ingress-nginx
Bug #2042977 reported by
Reinildes Oliveira
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
High
|
Reinildes Oliveira |
Bug Description
Brief Description
-------
Apply remediation suggested by community in:
https:/
https:/
https:/
CVE-2023-5043 and CVE-2023-5044 are mitigated with enableAnnotatio
CVE-2022-4886 is mitigated with strict-
Severity
-------
Major
Changed in starlingx: | |
assignee: | nobody → Reinildes Oliveira (rjosemat) |
information type: | Private Security → Public Security |
tags: | added: stx.9.0 stx.apps stx.security |
Changed in starlingx: | |
status: | New → In Progress |
importance: | Undecided → High |
summary: |
- Mitigate CVE-2022-4886, CVE-2023-5043 and CVE-2023-5044 + Mitigate CVE-2022-4886, CVE-2023-5043 and CVE-2023-5044 for ingress- + nginx |
To post a comment you must log in.
Reviewed: https:/ /review. opendev. org/c/starlingx /nginx- ingress- controller- armada- app/+/900372 /opendev. org/starlingx/ nginx-ingress- controller- armada- app/commit/ 462d728eb82b0e3 73c7b78901bbfda a121721cf6
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 462d728eb82b0e3 73c7b78901bbfda a121721cf6
Author: Rei Oliveira <email address hidden>
Date: Tue Nov 7 12:53:27 2023 -0300
Mitigate CVE-2022-4886 and CVE-2023-5044
This commit adds the flags and config options recommended by the
community in:
https:/ /github. com/kubernetes/ ingress- nginx/issues/ 10570 /github. com/kubernetes/ ingress- nginx/issues/ 10572
https:/
CVE-2023-5044 is mitigated with enableAnnotatio nValidations validate- path-type
CVE-2022-4886 is mitigated with strict-
Test cases:
PASS: Full build, system install, bootstrap and unlock. validate- path-type override and verify creating the
PASS: system application-update to this new version
PASS: Create Ingress resource with special character in path /apple$,
Verify it's possible to curl localhost/apple$.
Apply strict-
same Ingress object is not possible anymore, neither curl works.
PASS: Create Ingress resource with special characters and verify that
it creates successfully.
https:/
Apply enableAnnotatio nValidations override and verify creating the
same Ingress object is not possible anymore and a validation error
is now returned.
PASS: stx-openstack applies without error.
Closes-Bug: 2042977
Change-Id: I2f2279ebb34094 d0a21d4440e48ef 890f09a6133
Signed-off-by: Rei Oliveira <email address hidden>