NGINX.COM
Web Server Load Balancing with NGINX Plus
Ilya Krutov
Ilya Krutov of F5
Product Marketing Manager, NGINX
November 3, 2023

On October 25, 2023, three CVEs were reported by the National Institute of Standards and Technology (NIST) that affected NGINX Ingress Controller for Kubernetes:

  • CVE-2022-4886 – ingress-nginx path sanitization can be bypassed with log_format directive.
  • CVE-2023-5043 – ingress-nginx annotation injection causes arbitrary command execution.
  • CVE-2023-5044 – Code injection occurs via nginx.ingress.kubernetes.io/permanent-redirect annotation.

That report and subsequent publications (such as Urgent: New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes) caused some confusion (and a number of support inquiries) pertaining to which NGINX Ingress controllers are actually affected and who should be concerned about addressing vulnerabilities described by these CVEs.

The confusion is totally understandable – did you know that there is more than one Ingress controller based on NGINX? To start, there are two completely different projects named “NGINX Ingress Controller”:

  • Community project – Found in the kubernetes/ingress-nginx repo on GitHub, this Ingress controller is based on the NGINX Open Source data plane but developed and maintained by the Kubernetes community, with docs hosted on GitHub.
  • NGINX project – Found in the nginxinc/kubernetes-ingress repo on GitHub, NGINX Ingress Controller is developed and maintained by F5 NGINX with docs on docs.nginx.com. This official NGINX project is available in two editions:
    • NGINX Open Source‑based (free and open source option)
    • NGINX Plus-based (commercial option)

There are also other Ingress controllers based on NGINX, such as Kong. Fortunately, their names are easily distinguished. If you’re not sure which one you’re using, check the container image of the running Ingress controller, then compare the Docker image name with the repos listed above.

The vulnerabilities (CVE-2022-4886, CVE-2023-5043, and CVE-2023-5044) described above only apply to the community project (kubernetes/ingress-nginx). NGINX projects for NGINX Ingress Controller (nginxinc/kubernetes-ingress, both open source and commercial) are not affected by these CVEs.

For more information about the differences between NGINX Ingress Controller and Ingress controller projects, read our blog A Guide to Choosing an Ingress Controller, Part 4: NGINX Ingress Controller Options.

Hero image

Learn how to deploy, configure, manage, secure, and monitor your Kubernetes Ingress controller with NGINX to deliver apps and APIs on-premises and in the cloud.

Download Now


About The Author

Ilya Krutov

Ilya Krutov

Product Marketing Manager, NGINX

More Blogs By Ilya Krutov

About F5 NGINX

F5, Inc. is the company behind NGINX, the popular open source project. We offer a suite of technologies for developing and delivering modern applications. Together with F5, our combined solution bridges the gap between NetOps and DevOps, with multi-cloud application services that span from code to customer.

Learn more at nginx.com or join the conversation by following @nginx on Twitter.

Get Started

Rocketship

Try Out NGINX Plus on Your Turf

Get Started
head with a headset

Ask Us a Question

Contact Sales