Mitigate CVE-2022-4886, CVE-2023-5043 and CVE-2023-5044 for ingress-nginx

Bug #2042977 reported by Reinildes Oliveira
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Reinildes Oliveira

Bug Description

Brief Description
-----------------------------
Apply remediation suggested by community in:

https://github.com/kubernetes/ingress-nginx/issues/10570
https://github.com/kubernetes/ingress-nginx/issues/10571
https://github.com/kubernetes/ingress-nginx/issues/10572

CVE-2023-5043 and CVE-2023-5044 are mitigated with enableAnnotationValidations
CVE-2022-4886 is mitigated with strict-validate-path-type

Severity
-----------------------------

Major

CVE References

Changed in starlingx:
assignee: nobody → Reinildes Oliveira (rjosemat)
information type: Private Security → Public Security
Ghada Khalil (gkhalil)
tags: added: stx.9.0 stx.apps stx.security
Changed in starlingx:
status: New → In Progress
importance: Undecided → High
summary: - Mitigate CVE-2022-4886, CVE-2023-5043 and CVE-2023-5044
+ Mitigate CVE-2022-4886, CVE-2023-5043 and CVE-2023-5044 for ingress-
+ nginx
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nginx-ingress-controller-armada-app (master)

Reviewed: https://review.opendev.org/c/starlingx/nginx-ingress-controller-armada-app/+/900372
Committed: https://opendev.org/starlingx/nginx-ingress-controller-armada-app/commit/462d728eb82b0e373c7b78901bbfdaa121721cf6
Submitter: "Zuul (22348)"
Branch: master

commit 462d728eb82b0e373c7b78901bbfdaa121721cf6
Author: Rei Oliveira <email address hidden>
Date: Tue Nov 7 12:53:27 2023 -0300

    Mitigate CVE-2022-4886 and CVE-2023-5044

    This commit adds the flags and config options recommended by the
    community in:

    https://github.com/kubernetes/ingress-nginx/issues/10570
    https://github.com/kubernetes/ingress-nginx/issues/10572

    CVE-2023-5044 is mitigated with enableAnnotationValidations
    CVE-2022-4886 is mitigated with strict-validate-path-type

    Test cases:

    PASS: Full build, system install, bootstrap and unlock.
    PASS: system application-update to this new version
    PASS: Create Ingress resource with special character in path /apple$,
          Verify it's possible to curl localhost/apple$.
          Apply strict-validate-path-type override and verify creating the
          same Ingress object is not possible anymore, neither curl works.
    PASS: Create Ingress resource with special characters and verify that
          it creates successfully.

          annotations:

          nginx.ingress.kubernetes.io/permanent-redirect: |
            https://www.google.com$HOST

          Apply enableAnnotationValidations override and verify creating the
          same Ingress object is not possible anymore and a validation error
          is now returned.
    PASS: stx-openstack applies without error.

    Closes-Bug: 2042977

    Change-Id: I2f2279ebb34094d0a21d4440e48ef890f09a6133
    Signed-off-by: Rei Oliveira <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.