{"id":806,"date":"2025-05-15T18:08:19","date_gmt":"2025-05-15T10:08:19","guid":{"rendered":"https:\/\/www.luyouli.com\/?p=806"},"modified":"2025-05-15T20:11:27","modified_gmt":"2025-05-15T12:11:27","slug":"ingress-nginx%e4%ba%94%e4%b8%aa%e6%bc%8f%e6%b4%9ecve-2025-24513-cve-2025-24514-cve-2025-1097-cve-2025-1098-cve-2025-1974-%e7%bc%93%e8%a7%a3%e6%96%b9%e6%b3%95","status":"publish","type":"post","link":"https:\/\/www.luyouli.com\/?p=806","title":{"rendered":"Ingress-Nginx\u4e94\u4e2a\u6f0f\u6d1eCVE-2025-24513 CVE-2025-24514 CVE-2025-1097 CVE-2025-1098 CVE-2025-1974 \u7f13\u89e3\u65b9\u6cd5"},"content":{"rendered":"\n<p>Kubernetes\u5b98\u65b9\u5730\u5740\uff1a<\/p>\n\n\n\n<p><a href=\"https:\/\/kubernetes.io\/blog\/2025\/03\/24\/ingress-nginx-cve-2025-1974\">https:\/\/kubernetes.io\/blog\/2025\/03\/24\/ingress-nginx-cve-2025-1974<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kubernetes.io\/zh-cn\/blog\/2025\/03\/24\/ingress-nginx-cve-2025-1974\">https:\/\/kubernetes.io\/zh-cn\/blog\/2025\/03\/24\/ingress-nginx-cve-2025-1974<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u963f\u91cc\u4e91\u5b98\u65b9\u5730\u5740\uff1a<\/p>\n\n\n\n<p><a href=\"https:\/\/help.aliyun.com\/zh\/ack\/product-overview\/security-advisory-for-cve-2025-1097-cve-2025-1098-cve-2025-1974-cve-2025-24513-and-cve-2025-24514\">https:\/\/help.aliyun.com\/zh\/ack\/product-overview\/security-advisory-for-cve-2025-1097-cve-2025-1098-cve-2025-1974-cve-2025-24513-and-cve-2025-24514<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/avd.aliyun.com\/detail?spm=5176.14126787.0.0.14a1ulTRulTRbT&amp;id=CVE-2025-24514\">https:\/\/avd.aliyun.com\/detail?spm=5176.14126787.0.0.14a1ulTRulTRbT&amp;id=CVE-2025-24514<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/avd.aliyun.com\/detail?spm=5176.14126787.0.0.14a1ulTRulTRbT&amp;id=CVE-2025-1097\">https:\/\/avd.aliyun.com\/detail?spm=5176.14126787.0.0.14a1ulTRulTRbT&amp;id=CVE-2025-1097<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/avd.aliyun.com\/detail?spm=5176.14126787.0.0.14a1ulTRulTRbT&amp;id=CVE-2025-1098\">https:\/\/avd.aliyun.com\/detail?spm=5176.14126787.0.0.14a1ulTRulTRbT&amp;id=CVE-2025-1098<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1. CVE-2025-24513\uff08\u76ee\u5f55\u904d\u5386\uff09<\/strong><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u6f0f\u6d1e\u7c7b\u578b<\/strong>\uff1a\u76ee\u5f55\u904d\u5386<\/h4>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u7f13\u89e3\u65b9\u6cd5<\/strong>\uff1a<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u5347\u7ea7\u81f3\u5b89\u5168\u7248\u672c<\/strong>\uff1a<\/li>\n\n\n\n<li>\u5347\u7ea7\u5230 <strong>ingress-nginx v1.11.5 \u6216 v1.12.1 \u53ca\u4ee5\u4e0a\u7248\u672c<\/strong>\uff08\u5b98\u65b9\u4fee\u590d\u7248\u672c\uff09\u3002<\/li>\n\n\n\n<li>\u4e0b\u8f7d\u94fe\u63a5\uff1a<a href=\"https:\/\/github.com\/kubernetes\/ingress-nginx\/releases\">https:\/\/github.com\/kubernetes\/ingress-nginx\/releases<\/a><\/li>\n\n\n\n<li><strong>\u4e34\u65f6\u7f13\u89e3\u63aa\u65bd<\/strong>\uff08\u4e0d\u63a8\u8350\u957f\u671f\u4f7f\u7528\uff09\uff1a<\/li>\n\n\n\n<li><strong>\u7981\u7528 Admission Controller<\/strong>\uff08\u4ec5\u9002\u7528\u4e8e\u672a\u542f\u7528\u51c6\u5165\u63a7\u5236\u5668\u7684\u573a\u666f\uff09\uff1a\n<ul class=\"wp-block-list\">\n<li>\u5982\u679c\u4f7f\u7528 <strong>Helm<\/strong> \u5b89\u88c5\uff1a<br><code>helm upgrade [RELEASE_NAME] ingress-nginx\/ingress-nginx \\ --set controller.admissionWebhooks.enabled=false \\ -n ingress-nginx<\/code><\/li>\n\n\n\n<li>\u5982\u679c <strong>\u624b\u52a8\u5b89\u88c5<\/strong>\uff1a<\/li>\n\n\n\n<li>\u5220\u9664 <code>ValidatingWebhookConfiguration<\/code>\uff1a<br><code>kubectl delete validatingwebhookconfigurations ingress-nginx-admission<\/code><\/li>\n\n\n\n<li>\u6216\u7f16\u8f91 <code>Deployment\/DaemonSet<\/code>\uff0c\u79fb\u9664 <code>--validating-webhook<\/code> \u53c2\u6570\uff1a<br><code>kubectl edit deployment -n ingress-nginx ingress-nginx-controller<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2. CVE-2025-24514\uff08auth-url \u6ce8\u89e3\u6ce8\u5165\uff09<\/strong><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u6f0f\u6d1e\u7c7b\u578b<\/strong>\uff1a\u914d\u7f6e\u6ce8\u5165<\/h4>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u7f13\u89e3\u65b9\u6cd5<\/strong>\uff1a<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u5347\u7ea7\u81f3\u5b89\u5168\u7248\u672c<\/strong>\uff1a<\/li>\n\n\n\n<li>\u5347\u7ea7\u5230 <strong>ingress-nginx v1.11.5 \u6216 v1.12.1 \u53ca\u4ee5\u4e0a\u7248\u672c<\/strong>\u3002<\/li>\n\n\n\n<li><strong>\u6ce8\u610f<\/strong>\uff1a\u5982\u679c\u5df2\u542f\u7528 <code>enable-annotation-validation<\/code> \u53c2\u6570\uff08v1.12.0 \u8d77\u9ed8\u8ba4\u542f\u7528\uff09\uff0c\u5219\u4e0d\u53d7\u6b64\u6f0f\u6d1e\u5f71\u54cd\u3002<\/li>\n\n\n\n<li><strong>\u4e34\u65f6\u7f13\u89e3\u63aa\u65bd<\/strong>\uff1a<\/li>\n\n\n\n<li><strong>\u7981\u7528 Admission Controller<\/strong>\uff08\u4e0e CVE-2025-1974 \u7684\u7f13\u89e3\u63aa\u65bd\u76f8\u540c\uff09\u3002<\/li>\n\n\n\n<li><strong>\u68c0\u67e5\u5e76\u79fb\u9664\u6076\u610f\u6ce8\u89e3<\/strong>\uff1a\n<ul class=\"wp-block-list\">\n<li>\u68c0\u67e5\u6240\u6709 Ingress \u4e2d\u7684 <code>auth-url<\/code> \u6ce8\u89e3\uff1a<br><code>kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_URL:.metadata.annotations.nginx\\.ingress\\.kubernetes\\.io\/auth-url'<\/code><\/li>\n\n\n\n<li>\u79fb\u9664 <code>auth-url<\/code> \u6ce8\u89e3\uff1a<br><code>kubectl annotate ingress -n &lt;\u547d\u540d\u7a7a\u95f4&gt; &lt;Ingress\u540d\u79f0&gt; nginx.ingress.kubernetes.io\/auth-url-<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3. CVE-2025-1097\uff08auth-tls-match-cn \u6ce8\u89e3\u6ce8\u5165\uff09<\/strong><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u6f0f\u6d1e\u7c7b\u578b<\/strong>\uff1a\u914d\u7f6e\u6ce8\u5165<\/h4>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u7f13\u89e3\u65b9\u6cd5<\/strong>\uff1a<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u5347\u7ea7\u81f3\u5b89\u5168\u7248\u672c<\/strong>\uff1a<\/li>\n\n\n\n<li>\u5347\u7ea7\u5230 <strong>ingress-nginx v1.11.5 \u6216 v1.12.1 \u53ca\u4ee5\u4e0a\u7248\u672c<\/strong>\u3002<\/li>\n\n\n\n<li><strong>\u4e34\u65f6\u7f13\u89e3\u63aa\u65bd<\/strong>\uff1a<\/li>\n\n\n\n<li><strong>\u68c0\u67e5\u5e76\u79fb\u9664\u6076\u610f\u6ce8\u89e3<\/strong>\uff1a\n<ul class=\"wp-block-list\">\n<li>\u68c0\u67e5\u6240\u6709 Ingress \u4e2d\u7684 <code>auth-tls-match-cn<\/code> \u6ce8\u89e3\uff1a<br><code>kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_TLS_MATCH_CN:.metadata.annotations.nginx\\.ingress\\.kubernetes\\.io\/auth-tls-match-cn'<\/code><\/li>\n\n\n\n<li>\u79fb\u9664 <code>auth-tls-match-cn<\/code> \u6ce8\u89e3\uff1a<br><code>kubectl annotate ingress -n &lt;\u547d\u540d\u7a7a\u95f4&gt; &lt;Ingress\u540d\u79f0&gt; nginx.ingress.kubernetes.io\/auth-tls-match-cn-<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>4. CVE-2025-1098\uff08mirror-target\/mirror-host \u6ce8\u89e3\u6ce8\u5165\uff09<\/strong><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u6f0f\u6d1e\u7c7b\u578b<\/strong>\uff1a\u914d\u7f6e\u6ce8\u5165<\/h4>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u7f13\u89e3\u65b9\u6cd5<\/strong>\uff1a<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u5347\u7ea7\u81f3\u5b89\u5168\u7248\u672c<\/strong>\uff1a<\/li>\n\n\n\n<li>\u5347\u7ea7\u5230 <strong>ingress-nginx v1.11.5 \u6216 v1.12.1 \u53ca\u4ee5\u4e0a\u7248\u672c<\/strong>\u3002<\/li>\n\n\n\n<li><strong>\u4e34\u65f6\u7f13\u89e3\u63aa\u65bd<\/strong>\uff1a<\/li>\n\n\n\n<li><strong>\u68c0\u67e5\u5e76\u79fb\u9664\u6076\u610f\u6ce8\u89e3<\/strong>\uff1a\n<ul class=\"wp-block-list\">\n<li>\u68c0\u67e5\u6240\u6709 Ingress \u4e2d\u7684 <code>mirror-target<\/code> \u548c <code>mirror-host<\/code> \u6ce8\u89e3\uff1a<br><code>kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,MIRROR_TARGET:.metadata.annotations.nginx\\.ingress\\.kubernetes\\.io\/mirror-target,MIRROR_HOST:.metadata.annotations.nginx\\.ingress\\.kubernetes\\.io\/mirror-host'<\/code><\/li>\n\n\n\n<li>\u79fb\u9664\u76f8\u5173\u6ce8\u89e3\uff1a<br><code>kubectl annotate ingress -n &lt;\u547d\u540d\u7a7a\u95f4&gt; &lt;Ingress\u540d\u79f0&gt; nginx.ingress.kubernetes.io\/mirror-target- kubectl annotate ingress -n &lt;\u547d\u540d\u7a7a\u95f4&gt; &lt;Ingress\u540d\u79f0&gt; nginx.ingress.kubernetes.io\/mirror-host-<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>5. CVE-2025-1974\uff08\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\uff09<\/strong><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u6f0f\u6d1e\u7c7b\u578b<\/strong>\uff1a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c<\/h4>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u7f13\u89e3\u65b9\u6cd5<\/strong>\uff1a<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u5347\u7ea7\u81f3\u5b89\u5168\u7248\u672c<\/strong>\uff08<strong>\u6700\u9ad8\u4f18\u5148\u7ea7<\/strong>\uff09\uff1a<\/li>\n\n\n\n<li>\u5347\u7ea7\u5230 <strong>ingress-nginx v1.11.5 \u6216 v1.12.1 \u53ca\u4ee5\u4e0a\u7248\u672c<\/strong>\u3002<\/li>\n\n\n\n<li>\u4e0b\u8f7d\u94fe\u63a5\uff1a<a href=\"https:\/\/github.com\/kubernetes\/ingress-nginx\/releases\">https:\/\/github.com\/kubernetes\/ingress-nginx\/releases<\/a><\/li>\n\n\n\n<li><strong>\u4e34\u65f6\u7f13\u89e3\u63aa\u65bd<\/strong>\uff08\u4ec5\u9002\u7528\u4e8e\u65e0\u6cd5\u7acb\u5373\u5347\u7ea7\u7684\u573a\u666f\uff09\uff1a<\/li>\n\n\n\n<li><strong>\u7981\u7528 Admission Controller<\/strong>\uff1a\n<ul class=\"wp-block-list\">\n<li>\u5982\u679c\u4f7f\u7528 <strong>Helm<\/strong> \u5b89\u88c5\uff1a<br><code>helm upgrade [RELEASE_NAME] ingress-nginx\/ingress-nginx \\ --set controller.admissionWebhooks.enabled=false \\ -n ingress-nginx<\/code><\/li>\n\n\n\n<li>\u5982\u679c <strong>\u624b\u52a8\u5b89\u88c5<\/strong>\uff1a<\/li>\n\n\n\n<li>\u5220\u9664 <code>ValidatingWebhookConfiguration<\/code>\uff1a<br><code>kubectl delete validatingwebhookconfigurations ingress-nginx-admission<\/code><\/li>\n\n\n\n<li>\u6216\u7f16\u8f91 <code>Deployment\/DaemonSet<\/code>\uff0c\u79fb\u9664 <code>--validating-webhook<\/code> \u53c2\u6570\uff1a<br><code>kubectl edit deployment -n ingress-nginx ingress-nginx-controller<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n","protected":false},"excerpt":{"rendered":"<p>Kubernetes\u5b98\u65b9\u5730\u5740\uff1a https:\/\/kubernetes.io\/blog\/2025\/03\/24\/i [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"class_list":["post-806","post","type-post","status-publish","format-standard","hentry","category-kubernetes"],"blocksy_meta":[],"views":1275,"_links":{"self":[{"href":"https:\/\/www.luyouli.com\/index.php?rest_route=\/wp\/v2\/posts\/806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.luyouli.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.luyouli.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.luyouli.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.luyouli.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=806"}],"version-history":[{"count":4,"href":"https:\/\/www.luyouli.com\/index.php?rest_route=\/wp\/v2\/posts\/806\/revisions"}],"predecessor-version":[{"id":810,"href":"https:\/\/www.luyouli.com\/index.php?rest_route=\/wp\/v2\/posts\/806\/revisions\/810"}],"wp:attachment":[{"href":"https:\/\/www.luyouli.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.luyouli.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.luyouli.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}