CVE-2024-25631

MEDIUM6.1EPSS 0.05%

Unencrypted traffic between pods when using Wireguard and an external kvstore

發布日:2024/2/20修改日:2026/2/4

描述

### Impact For Cilium users who have enabled [an external kvstore](https://docs.cilium.io/en/stable/installation/k8s-install-external-etcd/#when-do-i-need-to-use-a-kvstore) and [Wireguard transparent encryption](https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#encryption-wg), traffic between pods in the affected cluster is not encrypted. ### Patches This issue affects Cilium v1.14 before v1.14.7. This issue has been patched in Cilium v1.14.7. ### Workarounds There is no workaround to this issue - affected users are encouraged to upgrade. ### Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @giorio94 and @gandro for their work on triaging and remediating this issue. ### For more information If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack). If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at [[email protected]](mailto:[email protected]). This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

受影響套件(9)

Bitnami/ciliumfrom 0, < 1.14.7
Bitnami/cilium-operatorfrom 0, < 1.14.7
Bitnami/cilium-proxyfrom 0, < 1.14.7
Bitnami/hubblefrom 0, < 1.14.7
Bitnami/hubble-relayfrom 0, < 1.14.7
Bitnami/hubble-uifrom 0, < 1.14.7
Bitnami/hubble-ui-backendfrom 0, < 1.14.7
Go/github.com/cilium/cilium>= 1.14.0, < 1.14.7
Go/github.com/cilium/cilium>= 1.14.0, < 1.14.7

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

描述

受影響套件(9)

CVSS 分數

參考連結(6)