Ingress-Nginx Vulnerability (CVE-2025-1974)

Problem

Critical Vulnerability CVE-2025-1974 impacting the Pod network has a good chance of taking over the Kubernetes cluster, with no credentials or administrative access required.

Environment

Self Managed Cloud Platform9 - 5.10. and 5.11.

Solution

The fix for the issue is available in:

The SMCP-5.12 version, tracked in the Jira: AIR-1453.

Workaround

Section-1

Below are the workaround steps to fix the vulnerability in Ingress Nginx deployment part of the SMCP versions 5.10. and 5.11:

From the master node verify the existing image version:

$ sudo /opt/pf9/pf9-kube/bin/nerdctl -n k8s.io images | grep ingress

$ kubectl describe pod -n airctl-1-xxxxxxxx-xx-kplane   ingress-nginx-controller-xxxxxxxxxxx-xxxxx | grep -i image

$ kubectl describe pod -n airctl-1-xxxxxxxx-xx   ingress-nginx-controller-xxxxxxxxxxx-xxxxx | grep -i image

Download ingress-nginx_1.12.1.tgz image having the patch:

$ docker pull registry.k8s.io/ingress-nginx/controller:v1.12.1
$ docker save registry.k8s.io/ingress-nginx/controller | gzip > ingress-nginx_1.12.1.tgz

Copy and load image into the management node

$ ls ingress-nginx_1.12.1.tgz 

$ sudo /opt/pf9/pf9-kube/bin/nerdctl load --input ingress-nginx_1.12.1.tgz --namespace k8s.io

Verify the ingress-nginx_1.12.1.tgz image with 1.12.1 tag.

$ sudo /opt/pf9/pf9-kube/bin/nerdctl -n k8s.io images | grep ingress

Update the ingress-nginx config-map to include annotations-risk-level: Criticalin the data section as shown below:

$ kubectl edit cm ingress-nginx-x -n airctl-1-xxxxxxxx-xx 
---
data:
  allow-snippet-annotations: "true"
  annotations-risk-level: Critical              # New Entry

Update the deployments which will be listed by the below command with the correct image v1.12.1

$ kubectl get deployment -A | grep ingress

$ kubectl edit deployment -n airctl-1-xxxxxxxx-xx-kplane ingress-nginx-controller

$ kubectl edit deployment -n airctl-1-xxxxxxxx-xx ingress-nginx-controller

Verify if pods are running as expected. Also, verify the workload cluster and UI.

$ kubectl get po -A | grep ingress

Section-2

Below are the workaround steps to fix the vulnerability issue Monitoring deployment introduced in the Management Plane of SMCP-5.11.

Download and save the kube-webhook-certgen image for management plane monitoring:

$ docker pull registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.2

$ docker save registry.k8s.io/ingress-nginx/kube-webhook-certgen | gzip > webhook_certgen_1.5.2.tgz

Copy and load image into the Management plane cluster master node:

$ sudo /opt/pf9/pf9-kube/bin/nerdctl load --input webhook_certgen_1.5.2.tgz --namespace k8s.io

Helm upgrade Management plane monitoring stack [if already installed] with new kube-prometheus-stack-62.7.1-13.tgz tarfile, if monitoring feature is already enabled: 3.1 Download the new kube-prometheus-stack tar file:

$ wget https://pf9-airctl.s3.us-west-1.amazonaws.com/pf9-kube-prometheus-helm-chart/kube-prometheus-stack-62.7.1-13.tgz

     3.2.a  If the helm kube-prometheus-stack is already installed, upgrade it using below command:

$ helm upgrade mgmt-monitoring <path_to_kube-prometheus-stack-62.7.1-13.tgz> --namespace pf9-monitoring --set admissionWebhooks.patch.image.tag=v1.5.2

   3.2.b  If the helm kube-prometheus-stack is not installed, it can be installed as mentioned below snippet:

Reference: https://platform9.com/docs/PEC/management-cluster-monitoring

$ helm install mgmt-monitoring -n pf9-monitoring <path_to_kube-prometheus-stack-62.7.1-13.tgz> --create-namespace

Additional Information

Reference - https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/

PreviousAfter Upgrading DU to v-5.3.0-3085281, Cluster Upgrade Option to v1.20.15-pmk.2218 not Present NextHow To Renew Vault Token LTS1 Setup

Last updated 2 months ago

Good morning

hashtagProblem

hashtagEnvironment

hashtagSolution

hashtagWorkaround

hashtagSection-1

hashtagSection-2

hashtagAdditional Information