Cilium NetworkPolicy bypass via pod labels
CVE-2023-39347

7.6HIGH

Key Information:

Vendor: Cilium
Status: Cilium
Vendor: CVE Published:; 27 September 2023

What is CVE-2023-39347?

Cilium, a networking and security solution for Kubernetes, is vulnerable to improper label handling that can lead to the application of incorrect network policies. An attacker with the ability to update pod labels may manipulate these labels to bypass network restrictions. This manipulation occurs when Cilium incorrectly selects network policies based on user-provided labels during pod updates. Specifically, if an attacker supplies a non-existent namespace label, the associated CiliumNetworkPolicies fail to apply, thereby elevating the risk of unauthorized access to network resources. To mitigate this risk, users are encouraged to upgrade to the latest versions of Cilium, where this issue has been resolved.

Affected Version(s)

cilium >= 1.14.0, < 1.14.2 < 1.14.0, 1.14.2

cilium >= 1.13.0, < 1.13.7 < 1.13.0, 1.13.7

cilium < 1.12.14 < 1.12.14

References

https://github.com/cilium/cilium/security/advisories/GHSA...

x_refsource_CONFIRM

https://docs.cilium.io/en/latest/security/threat-model/#k...

x_refsource_MISC

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 27, 2023
Vulnerability Reserved
Jul 28, 2023