Update nginx to mitigate CVE-2021-23017

[foxylion]

NGINX Ingress controller version: 0.46.0
Kubernetes version: 1.20.5
Environment: (not relevant)

What happened:

Nginx published a blog post that they fixed a security vulnerability in Nginx that might also affect the ingress-nginx controller.

What you expected to happen:

Update of the nginx base image to at least 1.20.1 or 1.21.0.

How to reproduce it:

Find out current used version of nginx:

• Run docker run --rm k8s.gcr.io/ingress-nginx/controller:v0.46.0 nginx -version
• It will report version nginx/1.19.6 which is affected, according to this

Find out if "resolver" directive is present in the configuration:

• Deploy nginx ingress controller
• Run kubectl exec -it -n infrastructure <ingress-pod-name> cat nginx.conf | grep resolver
• Find a line that looks like this: resolver 100.64.0.10 valid=30s ipv6=off;

Anything else we need to know:

• https://www.nginx.com/blog/updating-nginx-dns-resolver-vulnerability-cve-2021-23017/
• https://support.f5.com/csp/article/K12331123

/kind bug

[cskarby]

Hello. I tested to upgrade nginx to v1.21.0 by updating images/nginx/rootfs/build.sh (line 21 and 124), build the base image, publish to an alternative registry path, and then modify the BASE_IMAGE variable in the Makefile and build the controller. I've tested it and it works in my setup. However it will take time to get our legal advisor to approve the CLA, so don't wait for that, but the changes I've made is just references to dependencies, no new code, so you should end up with the same result if you're going for nginx v1.21.0. Hope my test will be of value, even if you're not able to merge directly due to the missing CLA.

(A question is whether to stay on nginx mainline or to go for nginx stable, now that a new stable branch has been made. But I tested with mainline as that was previously used.)

[longwuyuan]

Nice to see useful info. There is a lot going on that is related and non-trivial so maybe wait till someone updates I guess. Thanks, ; Long

…

On 27/05/21 1:09 pm, Christian Skarby wrote: Hello. I tested to upgrade nginx to v1.21.0 by updating images/nginx/rootfs/build.sh (line 21 and 124), build the base image, publish to an alternative registry path, and then modify the BASE_IMAGE variable in the Makefile and build the controller. I've tested it and it works in my setup. However it will take time to get our legal advisor to approve the CLA, so don't wait for that, but the changes I've made is just references to dependencies, no new code, so you should end up with the same result if you're going for nginx v1.21.0. Hope my test will be of value, even if you're not able to merge directly due to the missing CLA. (A question is whether to stay on nginx mainline or to go for nginx stable, now that a new stable branch has been made. But I tested with mainline as that was previously used.) — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#7164 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABGZVWX44AFJLAZK5MWKD6DTPXZJ3ANCNFSM45RN2PKQ>.