CVE-2024-28860 Insecure IPsec transport encryption in Cilium

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to chosen plaintext, key...

CVE-2024-28860 Insecure IPsec transport encryption in Cilium

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to chosen plaintext, key...

CVE-2024-28860

CVE-2024-28860 affects Cilium’s IPsec transparent encryption. The issue arises from an ESP sequence number collision when multiple nodes share a key, enabling a MITM attacker to perform chosen-plaintext, key-recovery, and replay attacks that can undermine confidentiality and integrity. Fixed in C...

Fedora: Security Advisory (FEDORA-2024-92f0c71a01)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora: Security Advisory for libreswan (FEDORA-2024-1439ec2069)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora: Security Advisory (FEDORA-2024-312a5ed3d5)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

MGASA-2024-0085 Updated libreswan packages fix security vulnerabilities

The updated package fixes security vulnerabilities: pluto in Libreswan before 4.11 allows a denial of service responder SPI mishandling and daemon crash via unauthenticated IKEv1 Aggressive Mode packets. CVE-2023-30570 An issue was discovered in Libreswan before 4.12. When an IKEv2 Child SA REKEY...

[SECURITY] Fedora 40 Update: libreswan-4.14-1.fc40

Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the...

GO-2024-2656 Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium

In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted, and traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent...

Missing Encryption Of Sensitive Data

Cilium is vulnerable to Missing Encryption of Sensitive Data. The vulnerability is due to missing encryption in IPsec-eligible traffic between a node's Envoy proxy/DNS proxy and pods on other nodes, when traffic matches Layer 7 policies. This issue can expose sensitive data as it travels between...

[SECURITY] Fedora 38 Update: libreswan-4.14-1.fc38

Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the...

[SECURITY] Fedora 39 Update: libreswan-4.14-1.fc39

Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the...

RHEL 8 : kernel (RHSA-2024:1367)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1367 advisory. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fixes: kernel: vmwgfx: NULL pointer dereferen...

CVE-2024-28249

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on other nodes is sen...

CVE-2024-28249 Cilium has possible unencrypted traffic between nodes when using IPsec and L7 policies

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on other nodes is sen...

CVE-2024-28249

Cilium CVE-2024-28249 : In clusters with IPsec enabled and Layer 7 policies, IPsec-eligible traffic between a node’s Envoy proxy and pods on other nodes, and between a node’s DNS proxy and pods on other nodes, is sent unencrypted. This affects versions prior to 1.13.13, 1.14.8, and 1.15.2. The is...

CVE-2024-28249 Cilium has possible unencrypted traffic between nodes when using IPsec and L7 policies

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on other nodes is sen...

CVE-2024-28249 Cilium has possible unencrypted traffic between nodes when using IPsec and L7 policies

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on other nodes is sen...

Unencrypted traffic between nodes when using IPsec and L7 policies

Impact In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies: - Traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted - Traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent...

GHSA-J89H-QRVR-XC36 Unencrypted traffic between nodes when using IPsec and L7 policies

Impact In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies: - Traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted - Traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent...