CVE-2024-28250

2024-03-1822:15:08

CWE-311

[email protected]

web.nvd.nist.gov

cilium

networking

observability

security

ebpf

wireguard

encryption

vulnerability

nvd

6.1 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

6.3 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

JSON

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node’s Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node’s DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.14.8 and 1.15.2 in in native routing mode (routingMode=native) and in Cilium 1.14.4 in tunneling mode (routingMode=tunnel). Not that in tunneling mode, encryption.wireguard.encapsulate must be set to true. There is no known workaround for this issue.

Affected configurations

Vulners

Node

ciliumciliumRange1.14.0–1.14.8

ciliumciliumRange1.15.0–1.15.2

VendorProductVersionCPE
ciliumcilium*cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*
ciliumcilium*cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cilium	cilium	*	cpe:2.3:a:cilium:cilium::::::::
cilium	cilium	*	cpe:2.3:a:cilium:cilium::::::::

CNA Affected

[
  {
    "vendor": "cilium",
    "product": "cilium",
    "versions": [
      {
        "version": ">= 1.14.0, < 1.14.8",
        "status": "affected"
      },
      {
        "version": ">= 1.15.0, < 1.15.2",
        "status": "affected"
      }
    ]
  }
]