Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update module github.com/cilium/cilium to v1.15.13 [security] (main) #3351

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

cilium-renovate[bot]
Copy link
Contributor

@cilium-renovate cilium-renovate bot commented Jan 29, 2025

This PR contains the following updates:

Package Update Change
github.com/cilium/cilium patch v1.15.1 -> v1.15.13

HTTP policy bypass in github.com/cilium/cilium

BIT-cilium-2024-28248 / BIT-cilium-operator-2024-28248 / BIT-cilium-proxy-2024-28248 / BIT-hubble-2024-28248 / BIT-hubble-relay-2024-28248 / BIT-hubble-ui-2024-28248 / BIT-hubble-ui-backend-2024-28248 / CVE-2024-28248 / GHSA-68mj-9pjq-mc85 / GO-2024-2653

More information

Details

Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Unencrypted traffic between nodes when using IPsec and L7 policies

BIT-cilium-2024-28249 / BIT-cilium-operator-2024-28249 / BIT-cilium-proxy-2024-28249 / BIT-hubble-2024-28249 / BIT-hubble-relay-2024-28249 / BIT-hubble-ui-2024-28249 / BIT-hubble-ui-backend-2024-28249 / CGA-357h-gw82-jhpp / CVE-2024-28249 / GHSA-j89h-qrvr-xc36 / GO-2024-2656

More information

Details

Impact

In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies:

  • Traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted
  • Traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent unencrypted

Note: For clusters running in native routing mode, IPsec encryption is not applied to connections which are selected by a L7 Egress Network Policy or a DNS Policy. This is a known limitation of Cilium's IPsec encryption which will continue to apply after upgrading to the latest Cilium versions described below.

Patches

This issue affects:

  • Cilium v1.15 before v1.15.2
  • Cilium v1.14 before v1.14.8
  • Cilium v1.13 before v1.13.13
  • Cilium v1.4 to v1.12 inclusive

This issue has been resolved in:

  • Cilium v1.15.2
  • Cilium v1.14.8
  • Cilium v1.13.13
Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​jschwinger233, @​julianwiedmann, @​giorio94, and @​jrajahalme for their work in triaging and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability in Cilium, we strongly encourage you to report it to our private security mailing list at [email protected]. This is a private mailing list that only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Unencrypted traffic between nodes when using WireGuard and L7 policies

BIT-cilium-2024-28250 / BIT-cilium-operator-2024-28250 / BIT-cilium-proxy-2024-28250 / BIT-hubble-2024-28250 / BIT-hubble-relay-2024-28250 / BIT-hubble-ui-2024-28250 / BIT-hubble-ui-backend-2024-28250 / CVE-2024-28250 / GHSA-v6q2-4qr3-5cw6 / GO-2024-2657

More information

Details

Impact

In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies:

  • Traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes.
  • Traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS proxy and pods on other nodes.
Patches

This issue affects:

  • In native routing mode (routingMode=native):
    • Cilium v1.14 versions before v1.14.8
    • Cilium v1.15 versions before v1.15.2
  • In tunneling mode (routingMode=tunnel):
    • Cilium v1.14 versions before v1.14.4
    • Cilium v1.14.4 if encryption.wireguard.encapsulate is set to false (default).

This issue has been resolved in:

  • In native routing mode (routingMode=native):
    • Cilium v1.14.8
    • Cilium v1.15.2
  • In tunneling mode (routingMode=tunnel):
    • Cilium v1.14.4. NOTE encryption.wireguard.encapsulate must be set to true.
Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​brb, @​giorio94, @​gandro and @​jschwinger233 for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at [email protected]. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Intermittent HTTP policy bypass

BIT-cilium-2024-28248 / BIT-cilium-operator-2024-28248 / BIT-cilium-proxy-2024-28248 / BIT-hubble-2024-28248 / BIT-hubble-relay-2024-28248 / BIT-hubble-ui-2024-28248 / BIT-hubble-ui-backend-2024-28248 / CVE-2024-28248 / GHSA-68mj-9pjq-mc85 / GO-2024-2653

More information

Details

Impact

Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped.

Patches

This issue affects:

  • Cilium v1.13 between v1.13.9 and v1.13.12 inclusive
  • Cilium v1.14 between v1.14.0 and v1.14.7 inclusive
  • Cilium v1.15.0 and v1.15.1

This issue has been patched in:

  • Cilium v1.15.2
  • Cilium v1.14.8
  • Cilium v1.13.13
Workarounds

There is no workaround for this issue – affected users are strongly encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​romikps for discovering and reporting this issue, and @​sayboras and @​jrajahalme for preparing the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium internal security team, and your report will be treated as top priority.

Severity

  • CVSS Score: 7.2 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium

BIT-cilium-2024-28249 / BIT-cilium-operator-2024-28249 / BIT-cilium-proxy-2024-28249 / BIT-hubble-2024-28249 / BIT-hubble-relay-2024-28249 / BIT-hubble-ui-2024-28249 / BIT-hubble-ui-backend-2024-28249 / CGA-357h-gw82-jhpp / CVE-2024-28249 / GHSA-j89h-qrvr-xc36 / GO-2024-2656

More information

Details

In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted, and traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent unencrypted.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Unencrypted traffic between nodes with WireGuard in github.com/cilium/cilium

BIT-cilium-2024-28250 / BIT-cilium-operator-2024-28250 / BIT-cilium-proxy-2024-28250 / BIT-hubble-2024-28250 / BIT-hubble-relay-2024-28250 / BIT-hubble-ui-2024-28250 / BIT-hubble-ui-backend-2024-28250 / CVE-2024-28250 / GHSA-v6q2-4qr3-5cw6 / GO-2024-2657

More information

Details

In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies: traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes, and traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS proxy and pods on other nodes.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Insecure IPsec transparent encryption in github.com/cilium/cilium

BIT-cilium-2024-28860 / BIT-cilium-operator-2024-28860 / BIT-cilium-proxy-2024-28860 / BIT-hubble-2024-28860 / BIT-hubble-relay-2024-28860 / BIT-hubble-ui-2024-28860 / BIT-hubble-ui-backend-2024-28860 / CVE-2024-28860 / GHSA-pwqm-x5x6-5586 / GO-2024-2666

More information

Details

Insecure IPsec transparent encryption in github.com/cilium/cilium

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Cilium has insecure IPsec transport encryption

BIT-cilium-2024-28860 / BIT-cilium-operator-2024-28860 / BIT-cilium-proxy-2024-28860 / BIT-hubble-2024-28860 / BIT-hubble-relay-2024-28860 / BIT-hubble-ui-2024-28860 / BIT-hubble-ui-backend-2024-28860 / CVE-2024-28860 / GHSA-pwqm-x5x6-5586 / GO-2024-2666

More information

Details

Impact

Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective.

In particular, Cilium is vulnerable to the following attacks by a man-in-the-middle attacker:

  • Chosen plaintext attacks
  • Key recovery attacks
  • Replay attacks

These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique keys for each IPsec tunnel established between nodes, resolving all of the above attacks.

Important: After upgrading, users must perform a key rotation using the instructions here to ensure that they are no longer vulnerable to this issue. Please note that the key rotation instructions have recently been updated, and users must use the new instructions to properly establish secure IPsec tunnels. To validate that the new instructions have been followed properly, ensure that the IPsec Kubernetes secret contains a "+" sign.

Patches

All prior versions of Cilium that support IPsec transparent encryption (Cilium 1.4 onwards) are affected by this issue.

Patched versions:

  • Cilium 1.15.3
  • Cilium 1.14.9
  • Cilium 1.13.14
Workarounds

There is no workaround to this issue. IPsec transparent encryption users are strongly encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @​NikAleksandrov and @​pchaigno for their work on remediating the issue. Thanks to Marsh Ray, Senior Software Developer at Microsoft, for input and guidance on the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

As usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: [email protected] - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority.

Severity

  • CVSS Score: 8.0 / 10 (High)
  • Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Cilium leaks sensitive information in cilium-bugtool

BIT-cilium-2024-37307 / BIT-cilium-operator-2024-37307 / BIT-cilium-proxy-2024-37307 / BIT-hubble-2024-37307 / BIT-hubble-relay-2024-37307 / BIT-hubble-ui-2024-37307 / BIT-hubble-ui-backend-2024-37307 / CVE-2024-37307 / GHSA-wh78-7948-358j / GO-2024-2922

More information

Details

Impact

The output of cilium-bugtool can contain sensitive data when the tool is run (with the --envoy-dump flag set) against Cilium deployments with the Envoy proxy enabled.

Users of the following features are affected:

The sensitive data includes:

  • The CA certificate, certificate chain, and private key used by Cilium HTTP Network Policies, and when using Ingress/Gateway API
  • The API keys used in Kafka-related network policy

cilium-bugtool is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster.

Patches

This issue affects:

  • Cilium v1.13 between v1.13.0 and v1.13.16 inclusive
  • Cilium v1.14 between v1.14.0 and v1.14.11 inclusive
  • Cilium v1.15 between v1.15.0 and v1.15.5 inclusive

This issue has been patched in:

  • Cilium v1.15.6
  • Cilium v1.14.12
  • Cilium v1.13.17
Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​sayboras for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Severity

  • CVSS Score: 7.9 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Cilium leaks sensitive information in cilium-bugtool in github.com/cilium/cilium

BIT-cilium-2024-37307 / BIT-cilium-operator-2024-37307 / BIT-cilium-proxy-2024-37307 / BIT-hubble-2024-37307 / BIT-hubble-relay-2024-37307 / BIT-hubble-ui-2024-37307 / BIT-hubble-ui-backend-2024-37307 / CVE-2024-37307 / GHSA-wh78-7948-358j / GO-2024-2922

More information

Details

Cilium leaks sensitive information in cilium-bugtool in github.com/cilium/cilium

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Gateway API route matching order contradicts specification

BIT-cilium-2024-42487 / BIT-cilium-operator-2024-42487 / BIT-hubble-relay-2024-42487 / CVE-2024-42487 / GHSA-qcm3-7879-xcww / GO-2024-3071

More information

Details

Impact

Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched (HTTPRouteRule, GRPCRouteRule).

If users create Gateway API resources that use both request headers and request methods in order to route to different destinations, then traffic may be delivered to the incorrect backend. If the backend does not have Network Policy restricting acceptable traffic to receive, then requests may access information that you did not intend for them to access.

Patches

This issue was fixed in https://github.com/cilium/cilium/pull/34109.

This issue affects:

  • Cilium v1.15 between v1.15.0 and v1.15.7 inclusive
  • Cilium v1.16.0

This issue is fixed in:

  • Cilium v1.15.8
  • Cilium v1.16.1
Workarounds

There is no workaround for this issue.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @​sayboras for remediating this issue.

Further information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Severity

  • CVSS Score: 4.0 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Gateway API route matching order contradicts specification in github.com/cilium/cilium

BIT-cilium-2024-42487 / BIT-cilium-operator-2024-42487 / BIT-hubble-relay-2024-42487 / CVE-2024-42487 / GHSA-qcm3-7879-xcww / GO-2024-3071

More information

Details

Gateway API route matching order contradicts specification in github.com/cilium/cilium

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API in github.com/cilium/cilium

BIT-cilium-2024-42486 / BIT-cilium-operator-2024-42486 / BIT-hubble-relay-2024-42486 / CVE-2024-42486 / GHSA-vwf8-q6fw-4wcm / GO-2024-3074

More information

Details

Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API in github.com/cilium/cilium

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API

BIT-cilium-2024-42486 / BIT-cilium-operator-2024-42486 / BIT-hubble-relay-2024-42486 / CVE-2024-42486 / GHSA-vwf8-q6fw-4wcm / GO-2024-3074

More information

Details

Impact

Due to ReferenceGrant changes not being immediately propagated in Cilium's GatewayAPI controller, Gateway resources are able to access secrets in other namespaces after the associated ReferenceGrant has been revoked. This can lead to Gateways continuing to establish sessions using secrets that they should no longer have access to.

Patches

This issue was resolved in https://github.com/cilium/cilium/pull/34032.

This issue affects:

  • Cilium v1.15 between v1.15.0 and v1.15.7 inclusive
  • Cilium v1.16.0

This issue has been patched in:

  • Cilium v1.15.8
  • Cilium v1.16.1
Workarounds

Any modification of a related Gateway/HTTPRoute/GRPCRoute/TCPRoute CRD (for example, adding any label to any of these resources) will trigger a reconciliation of ReferenceGrants on an affected cluster.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @​sayboras for resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

BIT-cilium-2024-42488 / BIT-cilium-operator-2024-42488 / BIT-hubble-relay-2024-42488 / CVE-2024-42488 / GHSA-q7w8-72mr-vpgw / GO-2024-3072

More information

Details

Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Policy bypass for Host Firewall policy due to race condition in Cilium agent

BIT-cilium-2024-42488 / BIT-cilium-operator-2024-42488 / BIT-hubble-relay-2024-42488 / CVE-2024-42488 / GHSA-q7w8-72mr-vpgw / GO-2024-3072

More information

Details

Impact

A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass.

Patches

This issue was fixed in https://github.com/cilium/cilium/pull/33511.

This issue affects:

  • All versions of Cilium before v1.14.14
  • Cilium v1.15 between v1.15.0 and v1.15.7 inclusive

This issue has been patched in:

  • Cilium v1.14.14
  • Cilium v1.15.8
Workarounds

As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected.

Acknowledgements

The Cilium community has worked together with members of Google and Isovalent to prepare these mitigations. Special thanks to @​skmatti for raising and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present

BIT-cilium-2024-47825 / BIT-cilium-operator-2024-47825 / BIT-hubble-relay-2024-47825 / CVE-2024-47825 / GHSA-3wwx-63fv-pfq6 / GO-2024-3208

More information

Details

Impact

A policy rule denying a prefix that is broader than /32 may be ignored if there is

  • A policy rule referencing a more narrow prefix (CIDRSet or toFQDN) and
  • This narrower policy rule specifies either enableDefaultDeny: false or - toEntities: all

Note that a rule specifying toEntities: world or toEntities: 0.0.0.0/0 is insufficient, it must be to entity all.

As an example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied:

apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: block-scary-range
spec:
  endpointSelector: {}
  egressDeny:
  - toCIDRSet:
    - cidr: 1.0.0.0/8

---

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: evade-deny
spec:
  endpointSelector: {}
  egress:
  - toCIDR:
    - 1.1.1.2/32
  - toEntities:
    - all
Patches

This issue affects:

  • Cilium v1.14 between v1.14.0 and v1.14.15 inclusive
  • Cilium v1.15 between v1.15.0 and v1.15.9 inclusive

This issue has been patched in:

  • Cilium v1.14.16
  • Cilium v1.15.10
Workarounds

Users with policies using enableDefaultDeny: false can work around this issue by removing this configuration option and explicitly defining any allow rules required.

No workaround is available to users with egress policies that explicitly specify toEntities: all.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​squeed, @​christarazi, and @​jrajahalme for their work in triaging and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated with top priority.

Severity

  • CVSS Score: 4.0 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present in github.com/cilium/cilium

BIT-cilium-2024-47825 / BIT-cilium-operator-2024-47825 / BIT-hubble-relay-2024-47825 / CVE-2024-47825 / GHSA-3wwx-63fv-pfq6 / GO-2024-3208

More information

Details

Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present in github.com/cilium/cilium

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


DoS in Cilium agent DNS proxy from crafted DNS responses

BIT-cilium-2025-23028 / BIT-cilium-operator-2025-23028 / BIT-hubble-relay-2025-23028 / CVE-2025-23028 / GHSA-9m5p-c77c-f9j7 / GO-2025-3415

More information

Details

Impact

In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an attacker can crash Cilium agents by sending a crafted DNS response to workloads from outside the cluster.

For traffic that is allowed but without using DNS-based policy, the dataplane will continue to pass traffic as configured at the time of the DoS. For workloads that have DNS-based policy configured, existing connections may continue to operate, and new connections made without relying on DNS resolution may continue to be established, but new connections which rely on DNS resolution may be disrupted. Any configuration changes that affect the impacted agent may not be applied until the agent is able to restart.

Patches

This issue affects:

  • Cilium v1.14 between v1.14.0 and v1.14.17 inclusive
  • Cilium v1.15 between v1.15.0 and v1.15.11 inclusive
  • Cilium v1.16 between v1.16.0 and v1.16.4 inclusive

This issue is fixed in:

  • Cilium v1.14.18
  • Cilium v1.15.12
  • Cilium v1.16.5
Workarounds

There are no known workarounds to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent and the Cisco Advanced Security Initiatives Group (ASIG) to prepare these mitigations. Special thanks to @​kokelley-cisco for reporting this issue and @​bimmlerd for the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


DoS in Cilium agent DNS proxy from crafted DNS responses in github.com/cilium/cilium

BIT-cilium-2025-23028 / BIT-cilium-operator-2025-23028 / BIT-hubble-relay-2025-23028 / CVE-2025-23028 / GHSA-9m5p-c77c-f9j7 / GO-2025-3415

More information

Details

DoS in Cilium agent DNS proxy from crafted DNS responses in github.com/cilium/cilium

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Cilium has an information leakage via insecure default Hubble UI CORS header in github.com/cilium/cilium

BIT-cilium-2025-23047 / BIT-cilium-operator-2025-23047 / BIT-hubble-relay-2025-23047 / CVE-2025-23047 / GHSA-h78m-j95m-5356 / GO-2025-3416

More information

Details

Cilium has an information leakage via insecure default Hubble UI CORS header in github.com/cilium/cilium

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Cilium has an information leakage via insecure default Hubble UI CORS header

BIT-cilium-2025-23047 / BIT-cilium-operator-2025-23047 / BIT-hubble-relay-2025-23047 / CVE-2025-23047 / GHSA-h78m-j95m-5356 / GO-2025-3416

More information

Details

Impact

For users who deploy Hubble UI using either Cilium CLI or via the Cilium Helm chart, an insecure default Access-Control-Allow-Origin header value could lead to sensitive data exposure. A user with access to a Hubble UI instance affected by this issue could leak configuration details about the Kubernetes cluster which Hubble UI is monitoring, including node names, IP addresses, and other metadata about workloads and the cluster networking configuration. In order for this vulnerability to be exploited, a victim would have to first visit a malicious page.

Patches

This issue was patched in cilium/cilium@a3489f1

This issue affects:

  • Cilium between v1.14.0 and v1.14.18 inclusive
  • Cilium between v1.15.0 and v1.15.12 inclusive
  • Cilium between v1.16.0 and v1.16.5 inclusive

This issue is patched in:

  • Cilium v1.14.19
  • Cilium v1.15.13
  • Cilium v1.16.6
Workarounds

Users who deploy Hubble UI using the Cilium Helm chart directly can remove the CORS headers from the Helm template as shown in the patch.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​ciffelia for reporting this issue and to @​geakstr for the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.15.13: 1.15.13

Compare Source

Summary of Changes

Major Changes:

Minor Changes:

Bugfixes:

CI Changes:


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

…rity]

Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com>
@cilium-renovate cilium-renovate bot requested a review from a team as a code owner January 29, 2025 09:14
@cilium-renovate cilium-renovate bot added release-blocker This PR or issue is blocking the next release. release-note/dependency This PR updates one or multiple dependencies labels Jan 29, 2025
@cilium-renovate cilium-renovate bot requested a review from tpapagian January 29, 2025 09:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-blocker This PR or issue is blocking the next release. release-note/dependency This PR updates one or multiple dependencies
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants