Maintenance

Immediate Security Mitigation – Hosting Infrastructure Update at 6:30 PM

Dear customers,

We received an alert yesterday evening related to this zero day vulnerability, https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities. In Salsa Hosting, the Nginx Ingress Controller endpoint that is vulnerable to attack is not exposed externally. As such, there is no direct external network path to this endpoint, providing some protection. Internal access to the cluster is limited to only a handful of Kubernetes administrators. The likelihood of the risk occurring is "unlikely", however, the impact would be catastrophic, and extremely difficult to recover from. Given the severity of the risk, immediate rectification is required.

Today, we have completed testing the recommended version of the Nginx Ingress Controller in our test cluster. We will be releasing it to production at 6:30 PM AEDT tonight via an emergency change. The Nginx Ingress Controller is highly available so there should be no outage on your site as the change is rolled out. QuantCDN is also in place to provide cache content in the very unlikely event of any small outage on the hosting cluster. The change is across our entire infrastructure and is, unfortunately, not optional for any customers.

Please raise a ticket in the support desk if you experience any issues. https://servicedesk.salsadigital.com.au/support/login