Cloudera Docs

Kubernetes Ingress NGINX Controller vulnerabilities

Five vulnerabilities affecting the Ingress Nginx Controller for Kubernetes were publicly disclosed on March 24, 2025, and were given the nickname 'IngressNightmare'.

Remediation for affected versions

Cloudera Data Warehouse version 1.10.1-b703 contains fixes to upgrade the Ingress NGINX controller.

Introduction

The ‘IngressNightmare’ vulnerabilities may allow Remote Code Execution (RCE) and potentially expose Kubernetes clusters to malicious configuration modifications. Exploitation requires specially crafted HTTP requests that bypass security measures, such as a Web Application Firewall (WAF). Successful exploitation may lead to complete cluster compromise, data exfiltration, and denial of service.

Details of the CVEs:
  • CVE-2025-1974 (CVSS score: 9.8) – An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller under certain conditions
  • CVE-2025-24514 (CVSS score: 8.8) – The auth-url Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
  • CVE-2025-1097 (CVSS score: 8.8) – The auth-tls-match-cn Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
  • CVE-2025-1098 (CVSS score: 8.8) – The mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
  • CVE-2025-24513 (CVSS score: 4.8) – An improper input validation vulnerability that could result in directory traversal within the container, leading to denial-of-service (DoS) or limited disclosure of secret objects from the cluster when combined with other vulnerabilities
Releases affected:
Cloudera Data Warehouse on cloud
Supported versions affected:
  • 1.9.6-b2
  • 1.9.5-b10
  • 1.9.4-b147
  • 1.9.3-b166
  • 1.9.2-b657 (Runtime: 2024.0.18.2-4)
  • 1.9.2-b657 (Runtime: 2024.0.18.1-1)
Action required - Mitigation for affected Cloudera products:
For mitigating CVE-2025-1974 on the affected Cloudera products, refer to the information below.

Mitigation of CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-24513 is secondary to the previous CVE. They require no immediate action, as attackers can only exploit these with direct access to cluster hosts and privileges to create arbitrary ingress objects via the Kubernetes API.

Cloudera Data Warehouse on cloud
  1. Check your current version.
    1. Go to the Cloudera Data Warehouse Control Plane.
    2. Navigate to the Environments tab and check the version of your Cloudera Data Warehouse Environment in the Version column.

      Image to check the version of Cloudera Data Warehouse Environment
  2. Mitigation steps for Cloudera Data Warehouse on cloud
    1. Customers using versions 1.9.5-b10 and 1.9.6-b2
      Execute the following command to update the current nginx controller (version 1.12.0) image to the patched version in your deployment:
      kubectl set image deployment/nginx-service controller=container.repo.cloudera.com/cloudera_thirdparty/hardened/ingress-nginx-controller:1.12.1-r0-202503251929 -n cluster
      Expected output: 
      deployment.apps/nginx-service image updated
      To verify that the image update was successful:
      $ kubectl get deployment/nginx-service -o jsonpath="{..image}" -n cluster
      Expected output:
      container.repo.cloudera.com/cloudera_thirdparty/hardened/ingress-nginx-controller:1.12.1-r0-202503251929
    2. Customers using versions lower than 1.9.5-b10
      Execute the following command to update the current nginx controller (version 1.11.4) image to the patched version in your deployment: 
      kubectl set image deployment/nginx-service controller=container.repo.cloudera.com/cloudera_thirdparty/ingress-nginx/controller:v1.11.5 -n cluster
      Expected output:
      deployment.apps/nginx-service image updated
      To verify that the image update was successful:
      $ kubectl get deployment/nginx-service -o jsonpath="{..image}" -n cluster
      Expected output:
      container.repo.cloudera.com/cloudera_thirdparty/ingress-nginx/controller:v1.11.5
    3. Customers using versions lower than 1.9.3-b166 need to first upgrade using Backup and Restore to the latest version (1.9.6-b2) to apply the mitigation.
Knowledge articles
For the latest update on this issue see the corresponding Knowledge articles: