CVE-2024-28249

描述

### Impact In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies: - Traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted - Traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent unencrypted **Note:** For clusters running in native routing mode, IPsec encryption is not applied to connections which are selected by a L7 Egress Network Policy or a DNS Policy. This is a known limitation of Cilium's IPsec encryption which will continue to apply after upgrading to the latest Cilium versions described below. ### Patches This issue affects: - Cilium v1.15 before v1.15.2 - Cilium v1.14 before v1.14.8 - Cilium v1.13 before v1.13.13 - Cilium v1.4 to v1.12 inclusive This issue has been resolved in: - Cilium v1.15.2 - Cilium v1.14.8 - Cilium v1.13.13 ### Workarounds There is no workaround to this issue. ### Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @jschwinger233, @julianwiedmann, @giorio94, and @jrajahalme for their work in triaging and resolving this issue. ### For more information If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack). If you think you have found a vulnerability in Cilium, we strongly encourage you to report it to our private security mailing list at [[email protected]](mailto:[email protected]). This is a private mailing list that only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

受影響套件(9)

• Bitnami/ciliumfrom 0, < 1.13.13, >= 1.14.0, < 1.14.8, >= 1.15.0, < 1.15.2
• Bitnami/cilium-operatorfrom 0, < 1.13.13, >= 1.14.0, < 1.14.8, >= 1.15.0, < 1.15.2
• Bitnami/cilium-proxyfrom 0, < 1.13.13, >= 1.14.0, < 1.14.8, >= 1.15.0, < 1.15.2
• Bitnami/hubblefrom 0, < 1.13.13, >= 1.14.0, < 1.14.8, >= 1.15.0, < 1.15.2
• Bitnami/hubble-relayfrom 0, < 1.13.13, >= 1.14.0, < 1.14.8, >= 1.15.0, < 1.15.2
• Bitnami/hubble-uifrom 0, < 1.13.13, >= 1.14.0, < 1.14.8, >= 1.15.0, < 1.15.2
• Bitnami/hubble-ui-backendfrom 0, < 1.13.13, >= 1.14.0, < 1.14.8, >= 1.15.0, < 1.15.2
• Go/github.com/cilium/ciliumfrom 0, < 1.13.13, >= 1.14.0, < 1.14.8, >= 1.15.0, < 1.15.2
• Go/github.com/cilium/ciliumfrom 0, < 1.13.13

CVSS 分數

參考連結(6)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-28249
• PATCHhttps://github.com/cilium/cilium
• WEBhttps://github.com/cilium/cilium/releases/tag/v1.13.13
• WEBhttps://github.com/cilium/cilium/releases/tag/v1.14.8
• WEBhttps://github.com/cilium/cilium/releases/tag/v1.15.2
• WEBhttps://github.com/cilium/cilium/security/advisories/GHSA-j89h-qrvr-xc36