Описание
In Cilium, packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters
Impact
When using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating endpoint can leave the source node without encryption due to a race condition in how traffic is processed by Cilium.
Patches
This issue has been patched in https://github.com/cilium/cilium/pull/38592.
This issue affects:
- Cilium v1.15 between v1.15.0 and v1.15.15 inclusive
- Cilium v1.16 between v1.16.0 and v1.16.8 inclusive
- Cilium v1.17 between v1.17.0 and v1.17.2 inclusive
This issue is fixed in:
- Cilium v1.15.16
- Cilium v1.16.9
- Cilium v1.17.3
Workarounds
There is no workaround to this issue.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @gandro and @pippolo84 for reporting this issue and to @julianwiedmann for the patch.
For more information
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
Пакеты
github.com/cilium/cilium
>= 1.13.0, < 1.15.16
1.15.16
github.com/cilium/cilium
>= 1.16.0, < 1.16.9
1.16.9
github.com/cilium/cilium
>= 1.17.0, < 1.17.3
1.17.3
Связанные уязвимости
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.15.0 to 1.15.15, 1.16.0 to 1.16.8, and 1.17.0 to 1.17.2, are vulnerable when using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating endpoint can leave the source node without encryption due to a race condition in how traffic is processed by Cilium. This issue has been patched in versions 1.15.16, 1.16.9, and 1.17.3. There are no workarounds available for this issue.
Cilium is a networking, observability, and security solution with an e ...