Rancher 2.2.4 Ingress controller nginx 1.15.6

So we run regular penetration scans on our environment and everything on our Rancher 2.2.4 environment shows the following vulnerability issues. I am reaching out here as I need to address these quickly in our environment.

URL :
Installed version : 1.15.6
Fixed version : 1.16.1 / 1.17.3

  • A denial of service vulnerability exists in the HTTP/2 protocol stack due to improper handling of exceptional conditions. An unauthenticated, remote attacker can exploit this, by manipulating the window size and stream priority of a large data request, to cause a denial of service condition. (CVE-2019-9511)

  • A denial of service vulnerability exists in the HTTP/2 protocol stack due to improper handling of exceptional conditions. An unauthenticated, remote attacker can exploit this, by creating multiple request streams and continually shuffling the priority of the streams, to cause a denial of service condition. (CVE-2019-9513)

  • A denial of service vulnerability exists in the HTTP/2 protocol stack due to improper handling of exceptional conditions. An unauthenticated, remote attacker can exploit this, by sending a stream of headers with a zero length header name and zero length header value, to cause a denial of service condition. (CVE-2019-9516)

Is there an easy way to upgrade the nginx version within the rancher load balancer containers, or is there a new image that we can pull from within rancher that contains nginx 1.16.1? We are using the rancher load balancer image: rancher/nginx-ingress-controller:0.21.0-rancher3

1 Like

Looks like they are in the process of fixing this: https://github.com/rancher/rancher/issues/21826

Also see Nginx-ingress-controller upgrade to 0.25.1