1. CVEs information
Please refer to https://thehackernews.com/2025/03/critical-ingress-nginx-controller.html for more information about the list CVE’s.
- CVE-2025-24513
- CVE-2025-24514
- CVE-2025-1097
- CVE-2025-1098
- CVE-2025-1974
This KB article provides instructions for BCM 10 (section 2) and BCM 9.2 (section 3) where the Ingress controller is deployed through a manifest by BCM.
Updating this component in Kubernetes should in theory not cause downtime of the Ingress controller, since Kubernetes is designed to run replacement Pods before terminating old ones.
2. BCM 10 Patching Ingress Controller
# Please execute these steps on the BCM Head Node, for example in /root wget https://support2.brightcomputing.com/CVE-2025-1974/kube_update_ingress.py chmod +x kube_update_ingress.py
The –help for the script:
usage: kube_update_ingress.py [-h] (--list | --status | --backup-and-patch | --restore-backup)
[--cluster CLUSTER]
The list of Kube Cluster labels can be queried using cmsh as follows:
# ./kube_update_ingress.py --list Available list of Kube Clusters: - default
In the above example there is only one Kubernetes cluster setup, with the label “default”. We need to provide this label to the update script.
We can safely execute the following first step (nothing will be updated):
# ./kube_update_ingress.py --cluster default --status Ingress version 1.11.2 needs to be upgraded to 1.11.5.
In the above example an existing manifest is found for version 1.11.2 which seems to require an update to 1.11.5 in order to fix the CVE vulnerability. We can continue with a backup + update as follows. In case nothing has to be updated, the output will be mentioning it.
# ./kube_update_ingress.py --cluster default --backup-and-patch Successfully backed up ingress controller configuration for default Backup file: default_ingress_backup.yaml Ingress version 1.11.2 needs to be upgraded to 1.11.5.
The backup is written in the current directory (/root in this case) as “default_ingress_backup.yaml”. This file is used by the kube_update_ingress.py script for rolling back the update.
Rollback is executed as follows.
# ./kube_update_ingress.py --cluster default --restore Successfully restored ingress controller configuration for default from backup
To verify that the update was successful we can repeat the status check:
./kube_update_ingress.py --cluster default --status
We can also have a look at the ingress-nginx Pods using kubectl:
# kubectl describe pod -n ingress-nginx | grep Image:
...
Image: registry.k8s.io/ingress-nginx/controller:v1.11.5
3. BCM 9.2 Patching Ingress Controller
We’re assuming that for BCM 9.2 we are on Kubernetes version 1.28. Older versions of Kubernetes may be upgrade-able but have not been tested, and the script will not attempt to do this. The version of the Ingress controller deployed in BCM 9.2 is 1.9.x and there is no patched version released by the upstream project at the time of writing for either 1.9 or 1.10. We did find with testing that upgrading from 1.9.x to 1.11.5 works, which is what the script will do.
The steps from section 2 can be executed in order to update if these preconditions are met and should result in the ingress controller being updated to version 1.11.5.