Moderate severityNVD Advisory· Published Mar 18, 2024· Updated Aug 2, 2024
Cilium has possible unencrypted traffic between nodes when using IPsec and L7 policies
CVE-2024-28249
Description
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on other nodes is sent unencrypted and IPsec-eligible traffic between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium 1.15.2, 1.14.8, and 1.13.13. There is no known workaround for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cilium/ciliumGo | < 1.13.13 | 1.13.13 |
github.com/cilium/ciliumGo | >= 1.14.0, < 1.14.8 | 1.14.8 |
github.com/cilium/ciliumGo | >= 1.15.0, < 1.15.2 | 1.15.2 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-j89h-qrvr-xc36ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28249ghsaADVISORY
- github.com/cilium/cilium/releases/tag/v1.13.13ghsax_refsource_MISCWEB
- github.com/cilium/cilium/releases/tag/v1.14.8ghsax_refsource_MISCWEB
- github.com/cilium/cilium/releases/tag/v1.15.2ghsax_refsource_MISCWEB
- github.com/cilium/cilium/security/advisories/GHSA-j89h-qrvr-xc36ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.