Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in Cilium
CVE-2024-52529

5.8MEDIUM

Key Information:

Vendor: Cilium
Status: Cilium
Vendor: CVE Published:; 25 November 2024

What is CVE-2024-52529?

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For users with the following configuration: 1. An allow policy that selects a Layer 3 destination and a port range AND 2. A Layer 7 allow policy that selects a specific port within the first policy's range the Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy. This issue only affects users who use Cilium's port range functionality, which was introduced in Cilium v1.16. This issue is patched in PR #35150. This issue affects Cilium v1.16 between v1.16.0 and v1.16.3 inclusive. This issue is patched in Cilium v1.16.4. Users are advised to upgrade. Users with network policies that match the pattern described above can work around the issue by rewriting any policies that use port ranges to individually specify the ports permitted for traffic.

Affected Version(s)

cilium >= 1.16.0, < 1.16.4

References

https://github.com/cilium/cilium/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/cilium/cilium/pull/35150

x_refsource_MISC

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 25, 2024

JSON