BIT-CILIUM-PROXY-2024-25630

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who are using CRDs to store Cilium state the default configuration and Wireguard transparent encryption, traffic to/from the Ingress and health endpoints is not encrypted. This issue affect...

BIT-CILIUM-PROXY-2024-28249

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on other nodes is sen...

BIT-CILIUM-PROXY-2024-37307

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.13.0 and prior to versions 1.13.7, 1.14.12, and 1.15.6, the output of cilium-bugtool can contain sensitive data when the tool is run with the --envoy-dump flag set against Cilium...

CVE-2024-37307

Summary: CVE-2024-37307 affects Cilium’s cilium-bugtool when run with --envoy-dump against deployments with Envoy enabled. Affected versions: prior to 1.13.7, 1.14.12, and 1.15.6 (i.e., versions 1.13.0–1.13.6, 1.14.0–1.14.11, 1.15.0–1.15.5). Root cause/impact: the tool’s output could contain sens...

BIT-HUBBLE-2023-34242

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to version 1.13.4, when Gateway API is enabled in Cilium, the absence of a check on the namespace in which a ReferenceGrant is created could result in Cilium unintentionally gaining visibility of...

BIT-HUBBLE-2024-28249

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on other nodes is sen...

BIT-HUBBLE-RELAY-2023-34242 Cilium vulnerable to information leakage via incorrect ReferenceGrant handling

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to version 1.13.4, when Gateway API is enabled in Cilium, the absence of a check on the namespace in which a ReferenceGrant is created could result in Cilium unintentionally gaining visibility of...

BIT-HUBBLE-RELAY-2023-39347 Cilium NetworkPolicy bypass via pod labels

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This issue arises due to the fact that on pod update, Cilium incorrectly uses user-provided pod labels...

BIT-HUBBLE-RELAY-2024-25630

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who are using CRDs to store Cilium state the default configuration and Wireguard transparent encryption, traffic to/from the Ingress and health endpoints is not encrypted. This issue affect...

BIT-CILIUM-2023-27594 Cilium vulnerable to potential network policy bypass when routing IPv6 traffic

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which...

BIT-CILIUM-2023-34242 Cilium vulnerable to information leakage via incorrect ReferenceGrant handling

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to version 1.13.4, when Gateway API is enabled in Cilium, the absence of a check on the namespace in which a ReferenceGrant is created could result in Cilium unintentionally gaining visibility of...

BIT-CILIUM-OPERATOR-2023-39347 Cilium NetworkPolicy bypass via pod labels

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This issue arises due to the fact that on pod update, Cilium incorrectly uses user-provided pod labels...

BIT-CILIUM-2023-41332 Denial of service via Kubernetes annotations in specific Cilium configurations

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In Cilium clusters where Cilium's Layer 7 proxy has been disabled, creating workloads with policy.cilium.io/proxy-visibility annotations in Cilium = v1.13 or io.cilium.proxy-visibility annotations in Cilium...

BIT-CILIUM-OPERATOR-2023-41332 Denial of service via Kubernetes annotations in specific Cilium configurations

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In Cilium clusters where Cilium's Layer 7 proxy has been disabled, creating workloads with policy.cilium.io/proxy-visibility annotations in Cilium = v1.13 or io.cilium.proxy-visibility annotations in Cilium...

BIT-CILIUM-2023-41333 Bypass of namespace restrictions in CiliumNetworkPolicy

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to create or modify CiliumNetworkPolicy objects in a particular namespace is able to affect traffic on an entire Cilium cluster, potentially bypassing policy enforcement in othe...

BIT-CILIUM-OPERATOR-2023-41333 Bypass of namespace restrictions in CiliumNetworkPolicy

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to create or modify CiliumNetworkPolicy objects in a particular namespace is able to affect traffic on an entire Cilium cluster, potentially bypassing policy enforcement in othe...

BIT-CILIUM-2024-25631

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and...

BIT-CILIUM-OPERATOR-2024-25631

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14 before v1.14.7 and...

CVE-2024-28860

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to chosen plaintext, key...

CVE-2024-28249

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on other nodes is sen...