VIP Authentication Hub response to #IngressNightmare vulnerability
25568
28 March 2025
28 March 2025
CLOSED
CRITICAL
9.8
CVE-2025-1974
Dear Broadcom Customer:
The purpose of this Advisory is to inform you of a potential problem that has been recently identified with a prerequisite component of VIP Authentication Hub. Please read the information provided below and follow the instructions in order to avoid being impacted by this problem.
PRODUCT(S) AFFECTED: VIP Authentication Hub
RELEASE: 3.3.x
PROBLEM DESCRIPTION:
CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare are found. Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover.
VIP Authentication Hub requires an NGINX ingress, so customers should assess their current version and either upgrade or adjust their configuration to mitigate this exploit.
PROBLEM RESOLUTION:
Upgrade your version of Nginx to 1.11.5 or modify the configuration as desribed in this knowledge article.
If you have any questions about this Advisory, please contact Broadcom Support.
Thank you,
Broadcom Support Team