Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-rjfv-pjvx-mjgv: AWS Load Balancer Controller automatically detaches externally associated web ACL from Application Load Balancers

Summary

The AWS Load Balancer Controller includes an optional, default-enabled feature that manages WAF WebACLs on Application Load Balancers (ALBs) on your behalf. In versions 2.8.1 and earlier, if the WebACL annotation [1] alb.ingress.kubernetes.io/wafv2-acl-arn or alb.ingress.kubernetes.io/waf-acl-id was absent on Ingresses, the controller would automatically disassociate any existing WebACL from the ALBs, including those associated by AWS Firewall Manager (FMS). Customers on impacted versions should upgrade to prevent this issue from occurring.

Impact

WebACLs attached to ALBs managed by the AWS Load Balancer Controller through methods other than Ingress annotations may be automatically removed, leaving the ALBs unprotected by WebACL.

Impacted versions: [>=2.0.0;<2.8.2]

Patches

We addressed this issue in version 2.8.2 [2] and recommend customers upgrade. Now, if the WebACL annotation is absent on Ingress objects, any existing WebACL on the ALB will remain intact instead of being removed.

Workarounds

If the previous behavior affected you, you can mitigate it by disabling the WebACL management feature using the --enable-waf and --enable-wafv2 command-line flags [3]

References

If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [4] or directly via email to [email protected]. Please do not create a public GitHub issue.

[1] https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#addons

[2] https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.8.2

[3] https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/configurations/#waf-addons

[4] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

ghsa
#vulnerability#web#amazon#git#kubernetes#aws

**Summary **

The AWS Load Balancer Controller includes an optional, default-enabled feature that manages WAF WebACLs on Application Load Balancers (ALBs) on your behalf. In versions 2.8.1 and earlier, if the WebACL annotation [1] alb.ingress.kubernetes.io/wafv2-acl-arn or alb.ingress.kubernetes.io/waf-acl-id was absent on Ingresses, the controller would automatically disassociate any existing WebACL from the ALBs, including those associated by AWS Firewall Manager (FMS). Customers on impacted versions should upgrade to prevent this issue from occurring.

**Impact **

WebACLs attached to ALBs managed by the AWS Load Balancer Controller through methods other than Ingress annotations may be automatically removed, leaving the ALBs unprotected by WebACL.

Impacted versions: [>=2.0.0;<2.8.2]

**Patches **

We addressed this issue in version 2.8.2 [2] and recommend customers upgrade. Now, if the WebACL annotation is absent on Ingress objects, any existing WebACL on the ALB will remain intact instead of being removed.

**Workarounds **

If the previous behavior affected you, you can mitigate it by disabling the WebACL management feature using the --enable-waf and --enable-wafv2 command-line flags [3]

**References **

If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [4] or directly via email to [email protected]. Please do not create a public GitHub issue.

[1] https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#addons

[2] https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.8.2

[3] https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/configurations/#waf-addons

[4] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

References

  • GHSA-rjfv-pjvx-mjgv
  • https://aws.amazon.com/security/vulnerability-reporting
  • https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.8.2%C2%A0
  • https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/configurations/#waf-addons
  • https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#addons

ghsa: Latest News

GHSA-27wf-5967-98gx: Kubernetes kubelet arbitrary command execution