Описание
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by Gateway resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade.
A flaw was found in cilium package. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by Gateway resources will incorrectly be allowed.
Отчет
The vulnerability is not present in a default installation. It requires a specific and complex combination of configurations to be exploitable. Specifically, the environment must be using the Gateway API for Ingress, combined with LB-IPAM or BGP for LoadBalancer service implementation, and specific network policies must be in place. This "perfect storm" of configuration prerequisites makes a successful attack significantly less likely in the wild. Hence, Red Hat rated this vulnerability as Low impact with AC:H.
Меры по смягчению последствий
A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade. An outline of such a policy is provided below: apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy metadata: name: "workaround" spec: endpointSelector: matchExpressions:
- key: reserved:ingress operator: Exists ingress:
- fromEntities:
- world
- The policy opens up connectivity from all locations outside the cluster into the Cilium Ingress Gateway.
- The policy establishes a default deny for all other traffic towards the Cilium Ingress Gateway, including all in-cluster sources.
- It is possible to tailor the policy to more narrowly allow inbound traffic while creating a default deny posture for traffic between namespaces. Users should edit the policy to bring it in line with the security requirements particular to their environments.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Network Observability Operator | network-observability/network-observability-ebpf-agent-rhel9 | Fix deferred | ||
| Network Observability Operator | network-observability/network-observability-flowlogs-pipeline-rhel9 | Fix deferred | ||
| Network Observability Operator | network-observability/network-observability-operator-bundle | Fix deferred | ||
| Network Observability Operator | network-observability/network-observability-rhel9-operator | Fix deferred | ||
| OpenShift Developer Tools and Services | jenkins-agent-base-container | Fix deferred | ||
| OpenShift Developer Tools and Services | ocp-tools-4/jenkins-agent-base-rhel8 | Fix deferred | ||
| OpenShift Developer Tools and Services | ocp-tools-4/jenkins-rhel8 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-cni-rhel8 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/pilot-rhel8 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/proxyv2-rhel8 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
3.2 Low
CVSS3
Связанные уязвимости
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade.
Cilium is a networking, observability, and security solution with an e ...
Cilium East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers
EPSS
3.2 Low
CVSS3