Security Advisory

Security advisories supplement security bulletins, providing additional details regarding vulnerabilities and offering remediation steps.

Security Advisory 002 - Kubernetes Race Condition

This advisory outlines security vulnerabilities related to the use of the os.RemoveAll function in Go, which affects Kubernetes clusters compiled with vulnerable Go versions, as well as the recommended remediation actions.

• Release Date: June 18, 2025
• Last Updated: June 18, 2025
• Severity: High
• Affected Versions: Kubernetes versions that were compiled with Go versions earlier than 1.21.11 or 1.22.4
• Fixed Versions: v1.27.15+, v1.28.11+, v1.29.6+, and v1.30.2+

Related CVEs

This advisory has not been assigned a CVE.

Timeline

• June 17, 2025: First notified of vulnerabilities.

Summary

The identified vulnerability affects Kubernetes versions that were compiled with Go versions earlier than 1.21.11 or 1.22.4. The issue relates to the use of the os.RemoveAll function in Go. It involves a symlink race condition that allows local non-root users (such as a containerized process) with the same UID as the Pod user to delete arbitrary directories on a host node with root privileges. This issue is especially relevant in environments running multi-tenant or untrusted workloads, where a compromised workload may pose a broader threat to the host.

All the clusters using an affected Kubernetes version must be updated manually. Users must review their cluster profiles, workload clusters, and instances of Palette Enterprise or Palette VerteX, and upgrade the Kubernetes version to a fixed version. The following Kubernetes versions, available in Palette Enterprise or Palette VerteX deployments for workload cluster provisioning, are vulnerable.

Palette Version	Kubernetes Versions
Palette Enterprise 4.6.x	Kubernetes < 1.30.2 Kubernetes < 1.29.6 Kubernetes < 1.28.11 Kubernetes < 1.27.15
Palette Enterprise 4.5.x	Kubernetes < 1.30.2 Kubernetes < 1.29.6 Kubernetes < 1.28.11 Kubernetes < 1.27.15 Kubernetes < 1.26.15
Palette Enterprise 4.4.x	Kubernetes < 1.30.2 Kubernetes < 1.29.6 Kubernetes < 1.28.11 Kubernetes < 1.27.15 Kubernetes < 1.26.15
Palette Enterprise 4.3.x	Kubernetes < 1.29.6 Kubernetes < 1.28.11 Kubernetes < 1.27.15 Kubernetes < 1.26.15
Palette Enterprise 4.2.x	Kubernetes < 1.28.11 Kubernetes < 1.27.15 Kubernetes < 1.26.15
Palette Enterprise 4.1.x	Kubernetes < 1.28.11 Kubernetes < 1.27.15 Kubernetes < 1.26.15
Palette Enterprise 4.0.x	Kubernetes < 1.27.15 Kubernetes < 1.26.15

Recommended Actions

This vulnerability affects both workload clusters and Palette deployments. If you have any workload clusters, Palette Enterprise or Palette VerteX clusters using an affected Kubernetes version, you must update the cluster to use one of the patched versions (v1.27.15, v1.28.11, v1.29.6, and v1.30.2) or newer.

• Refer to the Update a Cluster Profile guide for instructions on how to update a cluster profile and apply the updates to workload clusters.

• Refer to the Palette Enterprise or Palette VerteX upgrade guides for guidance on upgrading the version for all connected and airgapped Palette Enterprise and Palette VerteX clusters.

Security Advisory 001 - Nginx Vulnerability

This advisory outlines security vulnerabilities related to ingress-nginx and the recommended remediation actions.

• Release Date: March 27, 2025
• Last Updated: April 8, 2025
• Severity: 9.8
• Affected Versions: All versions prior to v1.11.0, v1.11.0 - v1.11.4, and v1.12.0
• Fixed Versions: v1.11.5 and v1.12.1

Related CVEs

Refer to the Security Bulletins page for detailed information about each CVE.

• CVE-2025-1097
• CVE-2025-1098
• CVE-2025-1974
• CVE-2025-24513
• CVE-2025-24514

Timeline

• March 24, 2025: First notified of vulnerabilities.
• March 24, 2025: CVE bulletin published.
• March 26, 2025: New Nginx pack published.
• March 26, 2025, 11:30 PM PST - March 27, 2025, 12:43 AM PST: All managed Palette instances patched.
• March 27, 2025: Manual patch procedure provided for connected and airgapped Palette Enterprise and VerteX installations.
• March 28, 2025: Affected Nginx packs deprecated.
• March 28, 2025: Connected Palette Enterprise and VerteX patches available for versions 4.5 and 4.6.
• April 1, 2025: Connected Palette Enterprise and VerteX patches available for version 4.4.
• April 2, 2025: Airgapped Palette Enterprise and VerteX patches available for versions 4.4 and 4.6.
• April 4, 2025: Airgapped Palette Enterprise and VerteX patches available for version 4.5.

Summary

The identified CVEs affect all ingress-nginx controller deployments using the vulnerable image versions mentioned in this advisory. When chained together, the vulnerabilities can enable unauthenticated users to execute arbitrary code and download confidential information such as secrets available in the cluster. These vulnerable images are used in the Palette and VerteX management planes. Additionally, Spectro Cloud also provides the Nginx pack to customers for their workload clusters, which contains several vulnerable image versions.

As of April 4, 2025, all vulnerable Nginx packs have been deprecated, all managed Palette instances have been patched, and patches are available for connected and airgapped Palette Enterprise and VerteX versions 4.4 - 4.6.

All workload clusters across all Palette and VerteX installations must be updated manually. All users should review their cluster profiles and workload clusters and upgrade the Nginx pack to version 1.11.5.

Recommended Actions

This vulnerability affects both workload clusters and Palette deployments.

• If you have any workload clusters using the affected version of the Nginx pack, you must update the cluster profile to use version 1.11.5 of the Nginx pack. Refer to the Update a Cluster Profile guide for instructions on how to update a cluster profile and apply the updates to workload clusters.

• Connected and airgapped Palette Enterprise and VerteX versions 4.4 - 4.6 must apply the latest patch to automatically upgrade the ingress-nginx-controller DaemonSet to version 1.11.5. For guidance on upgrading your Palette version, refer to the Palette Enterprise or VerteX upgrade guide.

  warning

  If you do not apply the patch, follow the steps described in the upcoming sections to manually upgrade the controller version.

Multi-Tenant and Dedicated SaaS Palette

As of March 26, 2025, the ingress-nginx-controller DaemonSet used for multi-tenant and dedicated SaaS Palette has been upgraded to version 1.11.5.

Workload clusters must be identified and updated manually to use version 1.11.5 of the Nginx pack. Follow the below instructions to upgrade Nginx.

1. Log in to Palette.

2. Navigate to the left main menu and select Clusters.

3. Select a workload cluster to review. Navigate to the cluster's Profile tab and note if the cluster profile being used contains Nginx.

4. Repeat step 3 for each cluster to ensure all cluster profiles using Nginx are identified.

5. Update all cluster profiles currently using the affected version of the Nginx pack to 1.11.5. Refer to the Update a Cluster Profile guide for instructions on how to update a cluster profile.

6. Apply the profile updates to all affected clusters. Refer to the Apply Profile Updates to Clusters guide to learn how to apply profile updates to clusters.

Palette Enterprise or VerteX Installed with Helm Charts

If you have any instances of Palette enterprise or VerteX installed via Helm Charts with the affected version of the ingress-nginx-controller DaemonSet, you must update it to version 1.11.5. Follow the steps below to download the updated version of the component and update your instance.

1. Use the kubeconfig file and kubectl tool to access your Palette enterprise or VerteX cluster. Refer to the Access Cluster with CLI guide for more information.

2. Check the image used by the ingress-nginx-controller DaemonSet in the ingress-nginx namespace.

   kubectl get daemonset ingress-nginx-controller --namespace ingress-nginx --output yaml | grep 'image:'

3. Once you identify the image, update its tag to v1.11.5. You can use the kubectl set image command to update the image.

• If the ingress-nginx-controller DaemonSet is using the image gcr.io/spectro-images-public/release-fips/ingress-nginx/controller:v1.11.2, update it to gcr.io/spectro-images-public/release-fips/ingress-nginx/controller:v1.11.5. Replace <container-name> with the name of the container.

  kubectl set image daemonset/ingress-nginx-controller <container-name>=gcr.io/spectro-images-public/release-fips/ingress-nginx/controller:v1.11.5 --namespace ingress-nginx

• If the ingress-nginx-controller DaemonSet is using the image us-docker.pkg.dev/palette-images/third-party/ingress-nginx/controller:v1.11.2, update it to us-docker.pkg.dev/palette-images/third-party/ingress-nginx/controller:v1.11.5. Replace <container-name> with the name of the container.

  kubectl set image daemonset/ingress-nginx-controller <container-name>=us-docker.pkg.dev/palette-images/third-party/ingress-nginx/controller:v1.11.5 --namespace ingress-nginx

Palette Enterprise or VerteX Installed with the Palette CLI

If you have any instances of Palette enterprise or VerteX installed via the Palette CLI with the affected version of the ingress-nginx-controller DaemonSet, you must update it to version 1.11.5. Follow the steps below to download the updated version of the component and update your instance.

1. Use the kubeconfig file and kubectl tool to access your Palette enterprise or VerteX cluster. Refer to the Access Cluster with CLI guide for more information.

2. Scale down the palette-controller-manager deployment to zero replicas in the cluster-mgmt-* namespace, replacing * with the suffix associated with your namespace.

   kubectl scale deployment palette-controller-manager --replicas=0 --namespace cluster-mgmt-*

3. Scale down the cluster-management-agent deployment to zero replicas in the cluster-mgmt-* namespace, replacing * with the suffix associated with your namespace.

   kubectl scale deployment cluster-management-agent --replicas=0 --namespace cluster-mgmt-*

4. Confirm that both deployments have been scaled down to zero replicas. Replace * with the suffix associated with your namespace.

   kubectl get deployments --namespace cluster-mgmt-*

5. Check the image used by the ingress-nginx-controller DaemonSet in the ingress-nginx namespace.

   kubectl get daemonset ingress-nginx-controller --namespace ingress-nginx --output yaml | grep 'image:'

6. Once you identify the image, update its tag to v1.11.5. You can use the kubectl set image command to update the image.

• If the ingress-nginx-controller DaemonSet is using the image gcr.io/spectro-images-public/release-fips/ingress-nginx/controller:v1.11.2, update it to gcr.io/spectro-images-public/release-fips/ingress-nginx/controller:v1.11.5. Replace <container-name> with the name of the container.

  kubectl set image daemonset/ingress-nginx-controller <container-name>=gcr.io/spectro-images-public/release-fips/ingress-nginx/controller:v1.11.5 --namespace ingress-nginx

• If the ingress-nginx-controller DaemonSet is using the image us-docker.pkg.dev/palette-images/third-party/ingress-nginx/controller:v1.11.2, update it to us-docker.pkg.dev/palette-images/third-party/ingress-nginx/controller:v1.11.5. Replace <container-name> with the name of the container.

  kubectl set image daemonset/ingress-nginx-controller <container-name>=us-docker.pkg.dev/palette-images/third-party/ingress-nginx/controller:v1.11.5 --namespace ingress-nginx

Airgap Palette Enterprise or VerteX

If you have any airgapped instances of Palette enterprise or VerteX using the affected version of the ingress-nginx-controller DaemonSet, you must update it to version 1.11.5. Follow the steps below to download the updated version of the component and update your instance.

Palette Enterprise

1. Contact your Palette support representative to obtain the airgap-palette-nginx binary version 1.11.5. Ensure the SHA of the binary is 8148734578378da043b918f893f3bbfcae9d421b9ac4426e10762d832734e1dd. Once obtained, upload the airgap-palette-nginx binary to the registry. Follow the Usage Instructions guide for detailed steps on downloading and installing the binary.

2. Log in to the Palette system console.

3. From the left Main Menu, select Administration > Pack Registries. Then, next to the packs registry, click the three-dot button > Sync. Wait for the registry synchronization to complete.

4. Use the kubeconfig file and kubectl tool to access your Palette enterprise cluster. Refer to the Access Cluster with CLI guide for more information.

5. Scale down the palette-controller-manager deployment to zero replicas in the cluster-mgmt-* namespace, replacing * with the suffix associated with your namespace.

   kubectl scale deployment palette-controller-manager --replicas=0 --namespace cluster-mgmt-*

6. Scale down the cluster-management-agent deployment to zero replicas in the cluster-mgmt-* namespace, replacing * with the suffix associated with your namespace.

   kubectl scale deployment cluster-management-agent --replicas=0 --namespace cluster-mgmt-*

7. Confirm that both deployments have been scaled down to zero replicas. Replace * with the suffix associated with your namespace.

   kubectl get deployments --namespace cluster-mgmt-*

8. Check the image used by the ingress-nginx-controller DaemonSet in the ingress-nginx namespace.

   kubectl get daemonset ingress-nginx-controller --namespace ingress-nginx --output yaml | grep 'image:'

9. Once you identify the image, update its tag to v1.11.5. You can use the kubectl set image command to update the image.

• If the ingress-nginx-controller DaemonSet is using the image gcr.io/spectro-images-public/release-fips/ingress-nginx/controller:v1.11.2, update it to gcr.io/spectro-images-public/release-fips/ingress-nginx/controller:v1.11.5. Replace <container-name> with the name of the container.

  kubectl set image daemonset/ingress-nginx-controller <container-name>=gcr.io/spectro-images-public/release-fips/ingress-nginx/controller:v1.11.5 --namespace ingress-nginx

• If the ingress-nginx-controller DaemonSet is using the image us-docker.pkg.dev/palette-images/third-party/ingress-nginx/controller:v1.11.2, update it to us-docker.pkg.dev/palette-images/third-party/ingress-nginx/controller:v1.11.5. Replace <container-name> with the name of the container.

  kubectl set image daemonset/ingress-nginx-controller <container-name>=us-docker.pkg.dev/palette-images/third-party/ingress-nginx/controller:v1.11.5 --namespace ingress-nginx

Palette VerteX

1. Contact your Palette support representative to obtain the airgap-vertex-nginx binary version 1.11.5. Ensure the SHA of the binary is 846c1e92f32ddd9a8da7eebd5b6d05517c5626a11e64c34acdf093dacdcb7310. Once obtained, upload the airgap-vertex-nginx binary to the registry. Follow the Usage Instructions guide for detailed steps on downloading and installing the binary.

2. Log in to the Palette VerteX system console.

3. From the left Main Menu, select Administration > Pack Registries. Then, next to the packs registry, click the three-dot button > Sync. Wait for the registry synchronization to complete.

4. Use the kubeconfig file and kubectl tool to access your Palette enterprise cluster. Refer to the Access Cluster with CLI guide for more information.

5. Scale down the palette-controller-manager deployment to zero replicas in the cluster-mgmt-* namespace, replacing * with the suffix associated with your namespace.

   kubectl scale deployment palette-controller-manager --replicas=0 --namespace cluster-mgmt-*

6. Scale down the cluster-management-agent deployment to zero replicas in the cluster-mgmt-* namespace, replacing * with the suffix associated with your namespace.

   kubectl scale deployment cluster-management-agent --replicas=0 --namespace cluster-mgmt-*

7. Confirm that both deployments have been scaled down to zero replicas. Replace * with the suffix associated with your namespace.

   kubectl get deployments --namespace cluster-mgmt-*

8. Check the image used by the ingress-nginx-controller DaemonSet in the ingress-nginx namespace.

   kubectl get daemonset ingress-nginx-controller --namespace ingress-nginx --output yaml | grep 'image:'

9. Once you identify the image, update its tag to v1.11.5. You can use the kubectl set image command to update the image.

• If the ingress-nginx-controller DaemonSet is using the image gcr.io/spectro-images-public/release-fips/ingress-nginx/controller:v1.11.2, update it to gcr.io/spectro-images-public/release-fips/ingress-nginx/controller:v1.11.5. Replace <container-name> with the name of the container.

  kubectl set image daemonset/ingress-nginx-controller <container-name>=gcr.io/spectro-images-public/release-fips/ingress-nginx/controller:v1.11.5 --namespace ingress-nginx

• If the ingress-nginx-controller DaemonSet is using the image us-docker.pkg.dev/palette-images/third-party/ingress-nginx/controller:v1.11.2, update it to us-docker.pkg.dev/palette-images/third-party/ingress-nginx/controller:v1.11.5. Replace <container-name> with the name of the container.

  kubectl set image daemonset/ingress-nginx-controller <container-name>=us-docker.pkg.dev/palette-images/third-party/ingress-nginx/controller:v1.11.5 --namespace ingress-nginx

Airgap Workload Clusters Using the Nginx Pack

If you have any airgap workload clusters using the affected version of the Nginx pack, you must update the cluster profile to version 1.11.5 of the Nginx pack. Follow the steps below to download the updated pack and modify your cluster profile.

Palette Enterprise

1. Contact your Palette support representative to obtain the airgap-pack-nginx binary version 1.11.5. Ensure the SHA of the binary is f526bdf9fba8031d50846e503ea8011d67ffdc23b9331a62ebe644ae49c06fb1. Once obtained, upload the airgap-pack-nginx binary to the registry. Follow the Usage Instructions guide for detailed steps on downloading and installing the binary.

2. Log in to the Palette system console.

3. From the left main menu, select Administration > Pack Registries. Then, next to the packs registry, click the three-dot button > Sync. Wait for the registry synchronization to complete.

4. Log in to the Palette console.

5. Update all cluster profiles currently using the affected version of the Nginx pack. Refer to the Update a Cluster Profile guide for instructions on how to update a cluster profile.

6. Apply the profile updates to all affected clusters. Refer to the Apply Profile Updates to Clusters guide to learn how to apply profile updates to clusters.

Palette VerteX

1. Contact your Palette support representative to obtain the airgap-pack-nginx binary version 1.11.5. Ensure the SHA of the binary is f526bdf9fba8031d50846e503ea8011d67ffdc23b9331a62ebe644ae49c06fb1. Once obtained, upload the airgap-pack-nginx binary to the registry. Follow the Usage Instructions guide for detailed steps on downloading and installing the binary.

2. Log in to the Palette VerteX system console.

3. From the left main menu, select Administration > Pack Registries. Then, next to the packs registry, click the three-dot button > Sync. Wait for the registry synchronization to complete.

4. Log in to the Palette VerteX console.

5. Update all cluster profiles currently using the affected version of the Nginx pack. Refer to the Update a Cluster Profile guide for instructions on how to update a cluster profile.

6. Apply the profile updates to all affected clusters. Refer to the Apply Profile Updates to Clusters guide to learn how to apply profile updates to clusters.