Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-30162

Опубликовано: 24 мар. 2025
Источник: redhat
CVSS3: 3.2
EPSS Низкий

Описание

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by Gateway resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade.

Отчет

The LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue.

Меры по смягчению последствий

A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade. An outline of such a policy is provided below: apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy metadata: name: "workaround" spec: endpointSelector: matchExpressions:

  • key: reserved:ingress operator: Exists ingress:
  • fromEntities:
  • world
  • The policy opens up connectivity from all locations outside the cluster into the Cilium Ingress Gateway.
  • The policy establishes a default deny for all other traffic towards the Cilium Ingress Gateway, including all in-cluster sources.
  • It is possible to tailor the policy to more narrowly allow inbound traffic while creating a default deny posture for traffic between namespaces. Users should edit the policy to bring it in line with the security requirements particular to their environments.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Network Observability Operatornetwork-observability/network-observability-ebpf-agent-rhel9Fix deferred
Network Observability Operatornetwork-observability/network-observability-flowlogs-pipeline-rhel9Fix deferred
Network Observability Operatornetwork-observability/network-observability-operator-bundleFix deferred
Network Observability Operatornetwork-observability/network-observability-rhel9-operatorFix deferred
OpenShift Developer Tools and Servicesjenkins-agent-base-containerFix deferred
OpenShift Developer Tools and Servicesocp-tools-4/jenkins-agent-base-rhel8Fix deferred
OpenShift Developer Tools and Servicesocp-tools-4/jenkins-rhel8Fix deferred
OpenShift Service Mesh 2openshift-service-mesh/istio-cni-rhel8Fix deferred
OpenShift Service Mesh 2openshift-service-mesh/pilot-rhel8Fix deferred
OpenShift Service Mesh 2openshift-service-mesh/proxyv2-rhel8Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-863
https://bugzilla.redhat.com/show_bug.cgi?id=2354604cilium: East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers

EPSS

Процентиль: 0%
0.00008
Низкий

3.2 Low

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-30162

CVSS3: 3.2
nvd
5 месяцев назад

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade.

debian логотип

CVE-2025-30162

CVSS3: 3.2
debian
5 месяцев назад

Cilium is a networking, observability, and security solution with an e ...

github логотип

GHSA-24qp-4xx8-3jvj

CVSS3: 3.2
github
5 месяцев назад

Cilium East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers

EPSS

Процентиль: 0%
0.00008
Низкий

3.2 Low

CVSS3