GHSA-XG58-75QF-9R67 Cilium's Layer 7 policy enforcement may not occur in policies with wildcarded port ranges

Impact For users with the following configuration: An allow policy that selects a Layer 3 identity and a port range AND A Layer 7 allow policy that selects a specific port within the first policy's range then Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy. This...

Cilium's Layer 7 policy enforcement may not occur in policies with wildcarded port ranges

Impact For users with the following configuration: An allow policy that selects a Layer 3 identity and a port range AND A Layer 7 allow policy that selects a specific port within the first policy's range then Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy. This...

GHSA-3WWX-63FV-PFQ6 Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present

Impact A policy rule denying a prefix that is broader than /32 may be ignored if there is - A policy rule referencing a more narrow prefix CIDRSet or toFQDN and - This narrower policy rule specifies either enableDefaultDeny: false or - toEntities: all Note that a rule specifying toEntities: world...

Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API

Impact Due to ReferenceGrant changes not being immediately propagated in Cilium's GatewayAPI controller, Gateway resources are able to access secrets in other namespaces after the associated ReferenceGrant has been revoked. This can lead to Gateways continuing to establish sessions using secrets...

Cilium leaks sensitive information in cilium-bugtool

Impact The output of cilium-bugtool can contain sensitive data when the tool is run with the --envoy-dump flag set against Cilium deployments with the Envoy proxy enabled. Users of the following features are affected: - TLS inspection - Ingress with TLS termination - Gateway API with TLS...

Cilium has insecure IPsec transport encryption

Impact Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to the following attacks by a man-in-the-middle attacker: - Chosen plaintext attacks - Key recovery attacks -...

GHSA-J89H-QRVR-XC36 Unencrypted traffic between nodes when using IPsec and L7 policies

Impact In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies: - Traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted - Traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent...

Unencrypted traffic between pods when using Wireguard and an external kvstore

Impact For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. Patches This issue affects Cilium v1.14 before v1.14.7. This issue has been patched in Cilium v1.14.7. Workarounds There is no workarou...

GHSA-7496-FGV9-XW82 Unencrypted ingress/health traffic when using Wireguard transparent encryption

Impact For Cilium users who are using CRDs to store Cilium state the default configuration and Wireguard transparent encryption, responses from pods to the Ingress and health endpoints are not encrypted. Traffic from the Ingress and health endpoints to pods is not affected by this issue. The heal...

Unencrypted ingress/health traffic when using Wireguard transparent encryption

Impact For Cilium users who are using CRDs to store Cilium state the default configuration and Wireguard transparent encryption, responses from pods to the Ingress and health endpoints are not encrypted. Traffic from the Ingress and health endpoints to pods is not affected by this issue. The heal...

GHSA-4XP2-W642-7MCX Cilium vulnerable to bypass of namespace restrictions in CiliumNetworkPolicy

Impact An attacker with the ability to create or modify CiliumNetworkPolicy objects in a particular namespace is able to affect traffic on an entire Cilium cluster, potentially bypassing policy enforcement in other namespaces. By using a crafted endpointSelector that uses the DoesNotExist operato...

GHSA-R7WR-4W5Q-55M6 Cilium vulnerable to information leakage via incorrect ReferenceGrant handling

Impact When the Gateway API is enabled in Cilium, the absence of a check on the namespace in which a ReferenceGrant is created could result in Cilium gaining visibility of secrets including certificates and services across namespaces. An attacker on an affected cluster can configure Cilium to use...

Debug mode leaks confidential data in Cilium

Impact When run in debug mode, Cilium may log sensitive information. In particular, Cilium running in debug mode will log the values of headers if they match HTTP network policy rules. This issue affects Cilium versions: - 1.7. to 1.10. inclusive - 1.11. before 1.11.16 - 1.12. before 1.12.9 - 1.1...

GHSA-PG5P-WWP8-97G8 Debug mode leaks confidential data in Cilium

Impact When run in debug mode, Cilium may log sensitive information. In particular, Cilium running in debug mode will log the values of headers if they match HTTP network policy rules. This issue affects Cilium versions: - 1.7. to 1.10. inclusive - 1.11. before 1.11.16 - 1.12. before 1.12.9 - 1.1...

GHSA-R5X6-W42P-JHPP Cilium eBPF filters may be temporarily removed during agent restart

Impact When Cilium is started, there is a short period when Cilium eBPF programs are not attached to the host. During this period, the host does not implement any of Cilium's featureset. This can cause disruption to newly established connections during this period due to the lack of Load Balancin...

Potential network policy bypass when routing IPv6 traffic

Impact Under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which Cilium is running. As a consequence, network policies for that cluster might be bypassed, depending on the specific network polici...

GHSA-PFHR-PCCP-HWMH Network Policies & (Clusterwide) Cilium Network Policies with namespace label selectors may unexpectedly select pods with maliciously crafted labels

Impact If a user has Network Policies with namespace selectors selecting labels of namespaces, or clusterwide Cilium Network Policies matching on namespace labels, then it is possible for an attacker with Kubernetes pod deploy rights either directly or indirectly via higher-level APIs such as...

Improper Privilege Management in Cilium

Impact If an attacker is able to perform a container escape of a container running as root on a host where Cilium is installed, the attacker can leverage Cilium's Kubernetes service account to gain access to cluster privileges that are more permissive than what is minimally required to operate...

GHSA-6P8V-8CQ8-V2R3 Access to Unix domain socket can lead to privileges escalation in Cilium

Impact Users with host file system access on a node and the privileges to run as group ID 1000 can gain access to the per node API of Cilium via Unix domain socket on the host where Cilium is running. If a malicious user is able to gain unprivileged access to a user corresponding to this group,...