Problem Note 68997: SAS® Viya® 2020.1 and later contains an ingress-nginx custom snippet vulnerability (CVE-2021-25742)
 |  |  |  |
Severity: High
Description: SAS Viya 2020.1 and later require configuration of an NGINX ingress controller as part of the Kubernetes cluster. NGINX Ingress Controller, ingress-nginx, is an open-source ingress controller solution for Kubernetes. By default, ingress-nginx supports custom snippets. SAS Viya 2020.1 and later require the use of the custom snippet features and the default ingress-nginx configuration setting of "allow-snippets=true". Because this is a requirement for the SAS Viya deployment, you should not remove or modify the default ingress-nginx setting for snippets.
This requirement exposes the deployment to known vulnerability CVE-2021-25742. A user with Kubernetes namespace administrator privileges could use the custom snippets supported by ingress-nginx to exfiltrate the ingress-nginx service account token and gain access to all secrets in the cluster.
Potential Impact: Remote code execution.
Solution: Steps for addressing this vulnerability can be found in NGINX Ingress Vulnerability Mitigation in the SAS® Viya® Operations Guide.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Viya | Linux for x64 | 2020.1 | Viya | ||
| Type: | Problem Note |
| Priority: | high |
| Date Modified: | 2022-03-21 14:37:07 |
| Date Created: | 2022-03-10 10:18:24 |