Two ways to mitigate the flaws: The best fix is to upgrade the Ingress-NGINX component to one of the patched versions. Admins can determine if it’s being used inside their clusters by typing: kubectl get pods all-namespaces selector app.kubernetes.io/name=ingress-nginxIn situations where an immediate version upgrade is not possible, admins can reduce risk by deleting the ValidatingWebhookConfiguration called ingress-nginx-admission and remove the validating-webhook argument from the ingress-nginx-controller container’s Deployment or DaemonSet. If ingress-nginx was installed using Helm, it can be reinstalled with controller.admissionWebhooks.enabled=false.This will mitigate CVE-2025-1974 in particular, which makes it much easier to exploit the other vulnerabilities without authentication. However, the Validating Admission Controller should not remain disabled for a long time because it provides safeguards against bad ingress configurations to legitimate users.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3854089/critical-rce-flaws-put-kubernetes-clusters-at-risk-of-takeover.html
