Full Report
Insights Hub Private Cloud is affected by multiple vulnerabilities in Ingress NGINX Controller for Kubernetes. These vulnerabilities could lead to arbitrary code execution in the context of the ingress-nginx controller, or disclosure of Secrets accessible to the controller, or denial of service condition. Siemens has released a new version for Insights Hub Private Cloud and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in Ingress NGINX Controller for Insights Hub Private Cloud
## CVE Details
- CVE ID: CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, CVE-2025-24514
- CVSS Score: 9.8 (CVE-2025-1974) / 8.8 (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514) / 4.8 (CVE-2025-24513)
- CWE: CWE-20 (Improper Input Validation), CWE-653 (Improper Isolation or Compartmentalization)
## Affected Systems
- Products: Insights Hub Private Cloud
- Versions: All versions affected by the listed CVEs.
- Configurations: Vulnerabilities primarily target the configuration of the Ingress NGINX Controller for Kubernetes within the environment.
## Vulnerability Description
The advisory addresses multiple vulnerabilities stemming from flaws in the Ingress NGINX Controller for Kubernetes utilized by Insights Hub Private Cloud. These vulnerabilities allow for:
1. **Arbitrary Code Execution (ACE):** Exploitation via specific Ingress annotations (`auth-tls-match-cn`, `mirror-target`, `mirror-host`, `auth-url`) can inject configurations into NGINX, leading to ACE within the ingress-nginx controller context. (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514)
2. **Unauthenticated ACE/Secret Disclosure:** CVE-2025-1974, rated Critical (9.8), allows an unauthenticated attacker with access to the pod network to achieve ACE in the controller context and disclose Secrets accessible to the controller (which typically includes cluster-wide Secrets in default installations).
3. **Denial of Service (DoS) and Limited Secret Disclosure:** CVE-2025-24513 involves directory traversal within the container via attacker-provided data in a filename by the Admission Controller feature, potentially leading to DoS or limited Secret disclosure.
## Exploitation
- Status: Details on active exploitation are not provided, but the severity of several flaws suggests a high likelihood of public exploit availability or creation.
- Complexity: Varies. CVE-2025-1974 (9.8) is rated Low complexity for attack prerequisites (PR:N/AC:L). Others typically require authentication (PR:L) or specific conditions.
- Attack Vector: Network (AV:N) for most critical flaws.
## Impact
- Confidentiality: High (Disclosure of Secrets accessible to the controller, potentially cluster-wide Secrets).
- Integrity: High (Arbitrary Code Execution within the controller process).
- Availability: High (Denial of Service condition possible via CVE-2025-24513).
## Remediation
### Patches
- Siemens has released a new version for Insights Hub Private Cloud. Customers must contact customer support to receive patch and update information to move to the corrected version.
### Workarounds
- Product-specific remediations or mitigations can be found via the links in the vendor advisory.
- Follow general security recommendations, including protecting network access to devices with appropriate mechanisms and configuring the environment according to Siemens' operational guidelines for Industrial Security.
## Detection
- Indicators of compromise (IOCs) were not detailed in the summary provided.
- Detection methods should focus on monitoring the Ingress controller logs, specifically looking for suspicious activity related to Ingress resource creation or modification using the vulnerable annotations, or unexpected processes/network connections originating from the ingress-nginx controller pod.
## References
- \[Vendor Advisory]: SSA-817234 - Siemens Security Advisory
- \[Siemens Security Guidelines]: https://www.siemens.com/cert/operational-guidelines-industrial-security (defanged)
- \[Siemens General Security Info]: https://www.siemens.com/industrialsecurity (defanged)