CVE-2024-37307
HIGH7.9EPSS 0.05%Cilium leaks sensitive information in cilium-bugtool
Description
### Impact The output of `cilium-bugtool` can contain sensitive data when the tool is run (with the `--envoy-dump` flag set) against Cilium deployments with the Envoy proxy enabled. Users of the following features are affected: - [TLS inspection](https://docs.cilium.io/en/stable/security/tls-visibility/#gs-tls-inspection) - [Ingress with TLS termination](https://docs.cilium.io/en/stable/network/servicemesh/tls-termination/#gs-ingress-tls) - [Gateway API with TLS termination](https://docs.cilium.io/en/stable/network/servicemesh/gateway-api/https/) - [Kafka network policies with API key filtering](https://docs.cilium.io/en/stable/security/policy/language/#kafka-beta) The sensitive data includes: - The CA certificate, certificate chain, and private key used by Cilium HTTP Network Policies, and when using Ingress/Gateway API - The API keys used in Kafka-related network policy `cilium-bugtool` is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster. ### Patches This issue affects: - Cilium v1.13 between v1.13.0 and v1.13.16 inclusive - Cilium v1.14 between v1.14.0 and v1.14.11 inclusive - Cilium v1.15 between v1.15.0 and v1.15.5 inclusive This issue has been patched in: - Cilium v1.15.6 - Cilium v1.14.12 - Cilium v1.13.17 ### Workarounds There is no workaround to this issue. ### Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @sayboras for their work on triaging and remediating this issue. ### For more information If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack). If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [[email protected]](mailto:[email protected]). This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
Affected packages (9)
- Bitnami/cilium>= 1.15.4, < 1.15.6
- Bitnami/cilium-operator>= 1.15.4, < 1.15.6
- Bitnami/cilium-proxy>= 1.13.0, < 1.13.17, >= 1.14.0, < 1.14.12, >= 1.15.0, < 1.15.6
- Bitnami/hubble>= 1.13.0, < 1.13.17, >= 1.14.0, < 1.14.12, >= 1.15.0, < 1.15.6
- Bitnami/hubble-relay>= 1.13.0, < 1.15.6
- Bitnami/hubble-ui>= 1.13.0, < 1.13.17, >= 1.14.0, < 1.14.12, >= 1.15.0, < 1.15.6
- Bitnami/hubble-ui-backend>= 1.13.0, < 1.13.17, >= 1.14.0, < 1.14.12, >= 1.15.0, < 1.15.6
- Go/github.com/cilium/cilium>= 1.13.0, < 1.13.17, >= 1.14.0, < 1.14.12, >= 1.15.0, < 1.15.6
- Go/github.com/cilium/cilium>= 1.13.0, < 1.13.17
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.9 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-37307
- PATCHhttps://github.com/cilium/cilium
- WEBhttps://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407
- WEBhttps://github.com/cilium/cilium/commit/224e288a5bf40d0bb0f16c9413693b319633431a
- WEBhttps://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741
- WEBhttps://github.com/cilium/cilium/commit/958d7b77274bf2c272d8cdfd812631d644250653
- WEBhttps://github.com/cilium/cilium/commit/9eb25ba40391a9b035d7e66401b862818f4aac4b
- WEBhttps://github.com/cilium/cilium/commit/bf9a1ae1b2d2b2c9cca329d7aa96aa4858032a61
- WEBhttps://github.com/cilium/cilium/security/advisories/GHSA-wh78-7948-358j
- WEBhttps://pkg.go.dev/vuln/GO-2024-2922