1CVE-2025-1974: ELB + Ingress-Nginx Exposure Analysis
2Key Point: Having ingress-nginx behind an AWS ELB does not automatically expose you to CVE-2025-1974.
3
4Are you safe?
5- The vulnerability requires access to the Validating Admission Controller
6- Regular HTTP requests through your ELB cannot trigger the exploit
7
8External users hitting your application (e.g., fancyapp.com) cannot exploit this vulnerability
9
10Real Attack Requirements:
11- Access to the Kubernetes API
12- Ability to create/modify Ingress resources
13- Network access similar to pod-level connectivity
14- Ability to interact with the admission webhook
15
16Security Focus
17- Monitor internal pod network access
18- Maintain strict Kubernetes API access controls
19- Keep standard network segmentation practices
20
21ELB's Role
22- The ELB simply routes external traffic to your ingress-nginx controller. This regular traffic flow cannot trigger the vulnerability - exploitation requires direct interaction with the admission webhook through Kubernetes API.
23
24Created on 3/26/2025