Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The Australian Cyber Security Centre recommends users of Ingress-NGINX Controller to act now regarding flaws that could lead to a full cluster takeover.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has released a critical alert urging users of Ingress-NGINX Controller for Kubernetes to act now regarding several dangerous vulnerabilities.
An Ingress-NGINX Controller handles routing of external traffic to services within a Kubernetes cluster, and vulnerabilities could lead to the execution of unauthenticated code, which, in turn, could allow a malicious actor to perform a complete takeover of the cluster.
The ASD’s ACSC recommends that any business that uses Ingress-NGINX Controller should immediately update to the latest version – controller-v1.12.1 – and ensure the admission webhook is not openly exposed.
Controller-v1.12.1 fixes the following vulnerabilities:
“Unfortunately, to fix CVE-2025-1974, it was necessary to disable the validation of the generated NGINX configuration during the validation of Ingress resources,” a Kubernetes maintainer said in a recent GitHub release update.
“The resulting NGINX configuration is still checked before the actual loading, so that there are no failures of the underlying NGINX. However, invalid Ingress resources can lead to the NGINX configuration no longer being able to be updated.
“To reduce such situations as far as possible, we therefore recommend enabling annotation validation and disabling snippet annotations. In case of doubt, such states can be determined from the logs of the Ingress NGINX Controller. Watch out for a line of dashes followed by ‘Error:’ telling you what went wrong.”
According to research from cloud security firm Wiz, there are currently about 6,500 vulnerable clusters, including Fortune 500 businesses.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
