KNIME logo
Contact usDownload

Security Advisory for CVE-2025-2787

Angle PatternAngle PatternPanel BGPanel BG

Description

Vulnerability (Detailed)

On March 24th, 2025, a critical vulnerability in ingress-nginx was made public. Ingress-nginx is a component used in many Kubernetes installations worldwide. Therefore, all installations of KNIME Business Hub are affected. By sending malicious HTTP requests from within the cluster to the ingress-nginx controller, remote execution can be triggered. Since ingress-nginx has access to all cluster credentials, a complete cluster takeover can happen. See https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/ for details.

Affected Versions

All versions of KNIME Business Hub (version 1.13.x, 1.12.x, 1.11.x, 1.10.x or older).

Severity

The vulnerability is rated CRITICAL (CVSS Score 9.8).

Exploitability

We assess the risk of exploitation as low. As mentioned above, the malicious request must come from the internal cluster network itself. In the context of KNIME Business Hub this means that either the installation itself has already been compromised or a user is sending malicious from within a workflow running in an executor. The latter requires the attacker to have user privileges which lowers the vulnerability score to HIGH (CVSS Score 8.8).

What do you need to do?

We strongly recommend upgrading to one of the following patched versions as soon as possible:

  • KNIME Business Hub version 1.13.x, please upgrade to 1.13.3.
  • KNIME Business Hub version 1.12.x, please upgrade to 1.12.4.
  • KNIME Business Hub version 1.11.x, please upgrade to 1.11.4.
  • KNIME Business Hub version 1.10.x or older, please upgrade to 1.10.4.

Please note, that at the time of writing, we are still working on the above-mentioned releases. We plan to have them ready and tested by (March 28th, 2025). Until then, we recommend applying the workaround described in the next section.

Workaround

In the following it is assumed that ingress-nginx is installed in the knime namespace. Replace the namespace if you installed KNIME Business Hub or ingress-nginx in a different namespace.

  1. Backup the config, in case you need to roll back:
    kubectl get ValidatingWebhookConfiguration ingress-nginx-admission -o yaml > validatingwebhook.yaml

    kubectl get deployment -n knime ingress-nginx-controller -o yaml > ingress-nginx-deployment.yaml
  2. Delete the ValidatingWebhookConfiguration:
    kubectl delete ValidatingWebhookConfiguration ingress-nginx-admission
  3. Fetch the current arguments set for the ingress-nginx-controller deployment:
    kubectl get deployment -n knime ingress-nginx-controller -o=jsonpath='{.spec.template.spec.containers[0].args}'
  4. Copy the output, and remove all arguments for validating-webhook, example arguments that should be removed:
    "--validating-webhook=:8443","--validating-webhook-certificate=/usr/local/certificates/cert","--validating-webhook-key=/usr/local/certificates/key"
  5. Patch the deployment to turn off the webhook in ingress-nginx; replace <ARGS> with the modified argument list without the validating-webhook arguments:
    kubectl patch deployment -n knime ingress-nginx-controller -p '{"spec":{"template":{"spec":{"containers":[{"name":"controller","args":<ARGS>}]}}}}'

This workaround needs to be re-applied every time you (re)deploy using the KOTS console.

Forensic analysis

No information about forensic analysis of potential exploits of this vulnerability has been published yet. We suggest consulting public sources on the internet about this vulnerability.

If you have any questions or require additional guidance, please contact support@knime.com.