You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Today, the ingress-nginx maintainers have [released patches for a batch of critical vulnerabilities](https://github.com/kubernetes/ingress-nginx/releases) that could make it easy for attackers to take over your Kubernetes cluster. If you are among the over 40% of Kubernetes administrators using [ingress-nginx](https://github.com/kubernetes/ingress-nginx/), you should take action immediately to protect your users and data.
10
+
Today, the ingress-nginx maintainers have released patches for a batch of critical vulnerabilities that could make it easy for attackers to take over your Kubernetes cluster: [ingress-nginx v1.12.1](https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1) and [ingress-nginx v1.11.5](https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5). If you are among the over 40% of Kubernetes administrators using [ingress-nginx](https://github.com/kubernetes/ingress-nginx/), you should take action immediately to protect your users and data.
11
11
12
12
## Background
13
13
@@ -23,7 +23,7 @@ Four of today’s ingress-nginx vulnerabilities are improvements to how ingress-
23
23
24
24
The most serious of today’s vulnerabilities, [CVE-2025-1974](https://github.com/kubernetes/kubernetes/issues/131009), rated [9.8 CVSS](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), allows anything on the Pod network to exploit configuration injection vulnerabilities via the Validating Admission Controller feature of ingress-nginx. This makes such vulnerabilities far more dangerous: ordinarily one would need to be able to create an Ingress object in the cluster, which is a fairly privileged action. When combined with today’s other vulnerabilities, **CVE-2025-1974 means that anything on the Pod network has a good chance of taking over your Kubernetes cluster, with no credentials or administrative access required**. In many common scenarios, the Pod network is accessible to all workloads in your cloud VPC, or even anyone connected to your corporate network\! This is a very serious situation.
25
25
26
-
Today, we have [released ingress-nginx v1.12.1 and v1.11.5](https://github.com/kubernetes/ingress-nginx/releases), which have fixes for all five of these vulnerabilities.
26
+
Today, we have released [ingress-nginx v1.12.1](https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1) and [ingress-nginx v1.11.5](https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5), which have fixes for all five of these vulnerabilities.
27
27
28
28
## Your next steps
29
29
@@ -52,3 +52,5 @@ Thanks go out to Nir Ohfeld, Sagi Tzadik, Ronen Shustin, and Hillai Ben-Sasson f
52
52
For further information about the maintenance and future of ingress-nginx, please see this [GitHub issue](https://github.com/kubernetes/ingress-nginx/issues/13002) and/or attend [James and Marco’s KubeCon/CloudNativeCon EU 2025 presentation](https://kccnceu2025.sched.com/event/1tcyc/).
53
53
54
54
For further information about the specific vulnerabilities discussed in this article, please see the appropriate GitHub issue: [CVE-2025-24513](https://github.com/kubernetes/kubernetes/issues/131005), [CVE-2025-24514](https://github.com/kubernetes/kubernetes/issues/131006), [CVE-2025-1097](https://github.com/kubernetes/kubernetes/issues/131007), [CVE-2025-1098](https://github.com/kubernetes/kubernetes/issues/131008), or [CVE-2025-1974](https://github.com/kubernetes/kubernetes/issues/131009)
55
+
56
+
*This blog post was revised in May 2025 to update the hyperlinks.*
Copy file name to clipboardExpand all lines: content/en/blog/_posts/2025-05-15-announcing-etcd-3.6/index.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -112,7 +112,7 @@ In this release, we reduced average memory consumption by at least 50% (see Figu
112
112
- The default value of `--snapshot-count` has been reduced from 100,000 in v3.5 to 10,000 in v3.6. As a result, etcd v3.6 now retains only about 10% of the history records compared to v3.5.
113
113
- Raft history is compacted more frequently, as introduced in [PR/18825][].
114
114
115
-
![figure-1](../2025-05-19-announcing-etcd-3.6/figure-1.png"Diagram of memory usage")
115
+
{{< figure src="figure-1.png" alt="Diagram of memory usage" >}}
116
116
117
117
_**Figure 1:** Memory usage comparison between etcd v3.5.20 and v3.6.0-rc.2 under different read/write ratios.
118
118
Each subplot shows the memory usage over time with a specific read/write ratio. The red line represents etcd
@@ -126,25 +126,25 @@ in both read and write throughput (see Figure 2, 3, 4 and 5). This improvement i
126
126
any single major change, but rather the cumulative effect of multiple minor enhancements. One such
127
127
example is the optimization of the free page queries introduced in [PR/419][].
128
128
129
-
![figure-2](../2025-05-19-announcing-etcd-3.6/figure-2.png"etcd read transaction performance with a high write ratio")
129
+
{{< figure src="figure-2.png" alt="etcd read transaction performance with a high write ratio" >}}
130
130
131
131
_**Figure 2:** Read throughput comparison between etcd v3.5.20 and v3.6.0-rc.2 under a high write ratio. The
132
132
read/write ratio is 0.0078, meaning 1 read per 128 writes. The right bar shows the percentage improvement
133
133
in read throughput of v3.6.0-rc.2 over v3.5.20, ranging from 3.21% to 25.59%._
134
134
135
-
![figure-3](../2025-05-19-announcing-etcd-3.6/figure-3.png"etcd read transaction performance with a high read ratio")
135
+
{{< figure src="figure-3.png" alt="etcd read transaction performance with a high read ratio" >}}
136
136
137
137
_**Figure 3:** Read throughput comparison between etcd v3.5.20 and v3.6.0-rc.2 under a high read ratio.
138
138
The read/write ratio is 8, meaning 8 reads per write. The right bar shows the percentage improvement in
139
139
read throughput of v3.6.0-rc.2 over v3.5.20, ranging from 4.38% to 27.20%._
140
140
141
-
![figure-4](../2025-05-19-announcing-etcd-3.6/figure-4.png"etcd write transaction performance with a high write ratio")
141
+
{{< figure src="figure-4.png" alt="etcd write transaction performance with a high write ratio" >}}
142
142
143
143
_**Figure 4:** Write throughput comparison between etcd v3.5.20 and v3.6.0-rc.2 under a high write ratio. The
144
144
read/write ratio is 0.0078, meaning 1 read per 128 writes. The right bar shows the percentage improvement
145
145
in write throughput of v3.6.0-rc.2 over v3.5.20, ranging from 2.95% to 24.24%._
146
146
147
-
![figure-5](../2025-05-19-announcing-etcd-3.6/figure-5.png"etcd write transaction performance with a high read ratio")
147
+
{{< figure src="figure-5.png" alt="etcd write transaction performance with a high read ratio" >}}
148
148
149
149
_**Figure 5:** Write throughput comparison between etcd v3.5.20 and v3.6.0-rc.2 under a high read ratio.
150
150
The read/write ratio is 8, meaning 8 reads per write. The right bar shows the percentage improvement in
0 commit comments