Lucene search

GoogleOSV:BIT-CILIUM-PROXY-2024-28249

HistoryJul 01, 2024 - 11:10 a.m.

BIT-cilium-proxy-2024-28249

2024-07-0111:10:49

Google

osv.dev

cilium

networking

observability

security

ebpf

dataplane

ipsec

layer 7

envoy proxy

dns proxy

unencrypted traffic

software vulnerability

6.1 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

15.8%

JSON

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node’s Envoy proxy and pods on other nodes is sent unencrypted and IPsec-eligible traffic between a node’s DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.15.2, 1.14.8, and 1.13.13. There is no known workaround for this issue.

CPENameOperatorVersion
cilium-proxyge1.14.0
cilium-proxylt1.13.13
cilium-proxylt1.14.8
cilium-proxyge1.15.0
cilium-proxylt1.15.2

Name	Operator	Version
cilium-proxy	ge	1.14.0
cilium-proxy	lt	1.13.13
cilium-proxy	lt	1.14.8
cilium-proxy	ge	1.15.0
cilium-proxy	lt	1.15.2

References

github.com/cilium/cilium/releases/tag/v1.13.13

github.com/cilium/cilium/releases/tag/v1.14.8

github.com/cilium/cilium/releases/tag/v1.15.2

github.com/cilium/cilium/security/advisories/GHSA-j89h-qrvr-xc36

6.1 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

15.8%

JSON

Related for OSV:BIT-CILIUM-PROXY-2024-28249