Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This page provides up-to-date information on security vulnerabilities affecting Azure Kubernetes Service(AKS) and its components. This information includes details on:
- Critical Security Advisories – High-impact security vulnerabilities, including zero-day vulnerabilities and other critical CVEs requiring immediate attention, along with mitigation guidance.
- Ongoing Security Investigations – Security issues under review, including CVEs where a patch isn't yet available or further assessment is needed.
- False Positives & Non-Exploitable CVEs – Cases where a reported CVE doesn't impact AKS due to specific configurations, mitigations, or lack of exploitability.
These updates cover security information related to the following AKS components:
- Azure Kubernetes Service (AKS)
- Azure Kubernetes Service Node Image (AKS Node Image)
- Azure Kubernetes Service Addons (AKS add-ons)
AKS-2025-007 Important Security Update for Kubernetes Nginx Ingress Controller
Published Date: March 24, 2025
Description
Several security vulnerabilities affecting the Kubernetes nginx ingress controller were disclosed on March 24, 2025: CVE-2025-1098 (High), CVE-2025-1974 (Critical), CVE-2025-1097 (High), CVE-2025-24514 (High), and CVE-2025-24513 (Medium).
The CVEs impact ingress-nginx. (If you don't have ingress-nginx installed on your cluster, you aren't affected.)
You can check for ingress-nginx by running kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx .
References
Affected Components
Affected Versions
- < v1.11.0
- v1.11.0 - 1.11.4
- v1.12.0
Resolutions
If you're using the Managed NGINX ingress with the application routing add-on on AKS, the patches are getting rolled out to all regions with the AKS v2050316 release. No action is required. You can check the release status from AKS release tracker.
If you're running your own Kubernetes NGINX Ingress Controller, review the CVEs and mitigate by updating to the latest patch versions (v1.11.5 and v1.12.1).
AKS-2025-006 GitRepo Volume Inadvertent Local Repository Access
Published Date: March 13, 2025
Description
A security vulnerability was discovered in Kubernetes that could allow a user with create pod permission to exploit gitRepo volumes to access local git repositories belonging to other pods on the same node. This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates from Kubernetes upstream, any cluster still using this feature remains vulnerable.
References
Affected Components
Affected Versions
- All AKS cluster versions
Resolutions
Since the in-tree gitRepo volume feature has been deprecated, there is no fix available for the CVE.
To ensure only allowed volume types are allowed, assign Azure built-in policy definition- Kubernetes cluster pods should only use allowed volume types in enforce mode to your AKS clusters that blocks deployments with gitRepo volume usage. You may view the allowed volume types here. For detailed steps on how to enable Azure Policy on your AKS cluster, please review Secure your Azure Kubernetes Service (AKS) clusters with Azure Policy.
AKS-2025-005 Important Security Update for Calico v3.26 Users
Published Date: March 24, 2025
Description
Multiple security issues exist in Calico version 3.26, which is now end of life and no longer receives security fixes. If you're using Calico version 3.26 on AKS Cluster version 1.29.x or earlier, you'll no longer receive security patches for Calico.
References
Affected Components
Affected Versions
- AKS version 1.29 and earlier
Resolutions
Upgrade AKS cluster version to 1.30 or later that uses Calico version 3.28
AKS-2025-004 Issue in ancillary function driver for WinSock in Windows
Published Date: February 11, 2025
Description
A security issue was discovered in the ancillary function driver for WinSock in Windows. This vulnerability allows attackers to exploit network communication flaws, potentially leading to elevation of privilege.
References
Affected Components
Affected Versions
- Windows version 17763.6775.250117
- Windows version 20348.3091.250117
- Windows version 25398.1369.250117
Resolutions
Upgrade Windows node image version to:
- Windows version 17763.6775.250214
- Windows version 20348.3091.250214
- Windows version 25398.1369.250214
- or later
AKS-2025-003 Elevation of Privilege in Windows Storage
Published Date: February 11, 2025
Description
A security issue was discovered in Windows Storage that allows attackers with low-level access to exploit system flaws and gain higher privileges. This vulnerability can potentially lead to the execution of arbitrary code or access to sensitive data.
References
Affected Components
Affected Versions
- Windows version 17763.6775.250117
- Windows version 20348.3091.250117
- Windows version 25398.1369.250117
Resolutions
Upgrade Windows node image version to:
- Windows version 17763.6775.250214
- Windows version 20348.3091.250214
- Windows version 25398.1369.250214
- or later
AKS-2025-002 NTLM Hash Disclosure Spoofing
Published Date: February 11, 2025
Description
A security issue was discovered that exposes Windows users' NTLM hashes. This type of vulnerability can lead to pass-the-hash attacks, where a remote attacker captures and later uses a hash to impersonate a user without needing the plain-text password.
References
Affected Components
Affected Versions
- Windows version 17763.6775.250117
- Windows version 20348.3091.250117
- Windows version 25398.1369.250117
Resolutions
Upgrade Windows node image version to:
- Windows version 17763.6775.250214
- Windows version 20348.3091.250214
- Windows version 25398.1369.250214
- or later
AKS-2025-001 ServerConfig.PublicKeyCallback Issue in golang/crypto
Published Date: December 11, 2024
Description
A security issue was discovered in the ServerConfig.PublicKeyCallback callback, which may be susceptible to an authorization bypass. This vulnerability arises when applications and libraries misuse the connection.serverAuthenticate method. Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. This issue can lead to incorrect authorization decisions based on keys that the attacker doesn't actually control
AKS is aware of the vulnerability. However, this CVE isn't exploitable for kubernetes. The vulnerability only affects those users who are using the PublicKeyCallback API. Since golang doesn't use this API in the Kubernetes setup, and the only use of the entire package is within a test suite golang.org/x/crypto isn't vulnerable. The vulnerability is patched in the upcoming Kubernetes release 1.33.
References
Affected Components
Affected Versions
- AKS version 1.32 and earlier
Resolutions
Fix will be available in AKS cluster version 1.33
Next Steps
- Get updates about the CVE mitigation status with CVE Status.
- Get updates about the latest node images with AKS release notes.
- Learn how to upgrade the AKS node image with Upgrade Azure Kubernetes Service (AKS) node images.
- Learn how to automatically upgrade node images with Automatically upgrade node images.
- Learn how to upgrade the Kubernetes version with Upgrade an AKS cluster.
- Learn about upgrading best practices with AKS patch and upgrade guidance.
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
Azure Kubernetes Service