6.1 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.5%
In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies:
This issue affects:
routingMode=native
):
routingMode=tunnel
):
encryption.wireguard.encapsulate
is set to false
(default).This issue has been resolved in:
routingMode=native
):
routingMode=tunnel
):
encryption.wireguard.encapsulate
must be set to true
.There is no workaround to this issue.
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @brb, @giorio94, @gandro and @jschwinger233 for their work on triaging and remediating this issue.
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at [email protected]. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/cilium/cilium | lt | 1.15.2 | |
github.com/cilium/cilium | lt | 1.14.8 |
6.1 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.5%