Fix available for Remote Code Execution Vulnerabilities in Ingress NGINX CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974

  

BMC Software is alerting users to a security vulnerability that requires immediate attention in the following product versions:

Products

BMC Helix Service ManagementOnPrem versions 21.3.06, 21.3.10, 22.1.06, 23.3.01, 23.3.04, 25.1.01, and later 

BMC Helix IT Operations Management OnPrem versions 24.1, 24.2, 24.3, 24.4, 25.1, and later 

BMC Helix Platform Common Services OnPrem versions 24.1, 24.2, 24.3, 24.4, 25.1, and later 

Date

2025/03/27

 

If you have any questions about this vulnerability, contact Customer Support.

Related topics

Issue

The #IngressNightmare security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of secrets accessible to the controller. 

A detailed description of the vulnerabilities can be found here: CVE-2025-24513: ingress-nginx controller - auth secret file path traversal vulnerability

Resolution

You must upgrade ingress-nginx to v1.11.5 and later patch release. 

Upgrade your Ingress version to 1.11.5

Prerequisite

  • You are using Kubernetes 1.26 or later 
  • BMC Helix IT Operations Management / BMC Helix Platform Common Services– 24.1 or later 
  • BMC Helix Service Management– 22.1.06 or later 

Modify the version of the image in the controller deployment or Daemonset to registry.k8s.io/ingress-nginx/controller:v1.11.5@sha256:a1cbad75b0a7098bf9325132794dddf9eef917e8a7fe246749a4cea7ff6f01eb 

If you do not want to upgrade or do not meet the prerequisites for Ingress Controller upgrade, perform the following steps: 

Note: You require cluster administrator permissions to perform the steps.

  1. Disable the Validating Admission Controller of ingress-nginx 
    • Delete the ValidatingWebhookconfiguration having the value ingress-nginx-admission  
      Example:
      kubectl delete ValidatingWebhookConfiguration ingress-nginx-admission -n ingress-nginx 
  2. Edit the ingress-nginx-controller deployment or Daemonset and remove the parameters starting with --validating-webhook from the controller container’s argument list 
    Example:- --validating-webhook=:8443
    - --validating-webhook certificate=/usr/local/certificates/cert
    - --validating-webhook-key=/usr/local/certificates/key

     

    Note: If you have disabled the Validating Admission Controller feature (mentioned in step1), enable the feature after you upgrade your Ingress version to 1.11.5 or later. 

 

 

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*