CIDR deny policies may not take effect when a more narrow CIDR allow is present
Description
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.16 and 1.15.10, a policy rule denying a prefix that is broader than /32 may be ignored if there is a policy rule referencing a more narrow prefix (CIDRSet or toFQDN) and this narrower policy rule specifies either enableDefaultDeny: false or - toEntities: all. Note that a rule specifying toEntities: world or toEntities: 0.0.0.0/0 is insufficient, it must be to entity all.This issue has been patched in Cilium v1.14.16 and v1.15.10. As this issue only affects policies using enableDefaultDeny: false or that set toEntities to all, some workarounds are available. For users with policies using enableDefaultDeny: false, remove this configuration option and explicitly define any allow rules required. For users with egress policies that explicitly specify toEntities: all, use toEntities: world.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cilium/ciliumGo | >= 1.15.0, < 1.15.10 | 1.15.10 |
github.com/cilium/ciliumGo | >= 1.14.0, < 1.14.16 | 1.14.16 |
Affected products
64- osv-coords63 versionspkg:apk/chainguard/cilium-1.14pkg:apk/chainguard/cilium-1.14-clustermesh-apiserverpkg:apk/chainguard/cilium-1.14-container-initpkg:apk/chainguard/cilium-1.14-container-init-compatpkg:apk/chainguard/cilium-1.14-hubble-relaypkg:apk/chainguard/cilium-1.14-iptablespkg:apk/chainguard/cilium-1.14-operator-awspkg:apk/chainguard/cilium-1.14-operator-genericpkg:apk/chainguard/cilium-1.15pkg:apk/chainguard/cilium-1.15-clustermesh-apiserverpkg:apk/chainguard/cilium-1.15-container-initpkg:apk/chainguard/cilium-1.15-container-init-compatpkg:apk/chainguard/cilium-1.15-hubble-relaypkg:apk/chainguard/cilium-1.15-iptablespkg:apk/chainguard/cilium-1.15-operator-awspkg:apk/chainguard/cilium-1.15-operator-genericpkg:apk/chainguard/cilium-fips-1.14pkg:apk/chainguard/cilium-fips-1.14-clustermesh-apiserverpkg:apk/chainguard/cilium-fips-1.14-compatpkg:apk/chainguard/cilium-fips-1.14-container-initpkg:apk/chainguard/cilium-fips-1.14-container-init-compatpkg:apk/chainguard/cilium-fips-1.14-host-utilspkg:apk/chainguard/cilium-fips-1.14-hubble-relaypkg:apk/chainguard/cilium-fips-1.14-iptablespkg:apk/chainguard/cilium-fips-1.14-operator-awspkg:apk/chainguard/cilium-fips-1.14-operator-azurepkg:apk/chainguard/cilium-fips-1.14-operator-genericpkg:apk/chainguard/cilium-fips-1.15pkg:apk/chainguard/cilium-fips-1.15-clustermesh-apiserverpkg:apk/chainguard/cilium-fips-1.15-container-initpkg:apk/chainguard/cilium-fips-1.15-container-init-compatpkg:apk/chainguard/cilium-fips-1.15-host-utilspkg:apk/chainguard/cilium-fips-1.15-hubble-relaypkg:apk/chainguard/cilium-fips-1.15-operator-awspkg:apk/chainguard/cilium-fips-1.15-operator-azurepkg:apk/chainguard/cilium-fips-1.15-operator-genericpkg:apk/chainguard/hubble-uipkg:apk/chainguard/hubble-ui-backendpkg:apk/chainguard/hubble-ui-backend-fipspkg:apk/wolfi/cilium-1.14pkg:apk/wolfi/cilium-1.14-container-initpkg:apk/wolfi/cilium-1.14-container-init-compatpkg:apk/wolfi/cilium-1.14-hubble-relaypkg:apk/wolfi/cilium-1.14-iptablespkg:apk/wolfi/cilium-1.14-operator-genericpkg:apk/wolfi/cilium-1.15pkg:apk/wolfi/cilium-1.15-container-initpkg:apk/wolfi/cilium-1.15-container-init-compatpkg:apk/wolfi/cilium-1.15-hubble-relaypkg:apk/wolfi/cilium-1.15-iptablespkg:apk/wolfi/cilium-1.15-operator-genericpkg:apk/wolfi/hubble-uipkg:apk/wolfi/hubble-ui-backendpkg:bitnami/ciliumpkg:bitnami/cilium-operatorpkg:bitnami/hubble-relaypkg:golang/github.com/cilium/ciliumpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Package%20Hub%2012
< 1.14.16-r0+ 62 more
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.19-r34
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.15.19-r3
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.14.16-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 1.15.10-r0
- (no CPE)range: < 0.13.1-r7
- (no CPE)range: < 0.13.1-r7
- (no CPE)range: < 0.13.1-r7
- (no CPE)range: < 1.14.19-r34
- (no CPE)range: < 1.14.19-r34
- (no CPE)range: < 1.14.19-r34
- (no CPE)range: < 1.14.19-r34
- (no CPE)range: < 1.14.19-r34
- (no CPE)range: < 1.14.19-r34
- (no CPE)range: < 1.15.19-r3
- (no CPE)range: < 1.15.19-r3
- (no CPE)range: < 1.15.19-r3
- (no CPE)range: < 1.15.19-r3
- (no CPE)range: < 1.15.19-r3
- (no CPE)range: < 1.15.19-r3
- (no CPE)range: < 0.13.1-r7
- (no CPE)range: < 0.13.1-r7
- (no CPE)range: >= 1.15.4, < 1.16.0
- (no CPE)range: >= 1.15.4, < 1.16.0
- (no CPE)range: >= 1.14.0, < 1.16.0
- (no CPE)range: >= 1.15.0, < 1.15.10
- (no CPE)range: < 0.0.20241030T212825-150000.1.9.1
- (no CPE)range: < 0.0.20241030T212825-150000.1.9.1
- (no CPE)range: < 0.0.20241030T212825-1.1
- (no CPE)range: < 0.0.20241030T212825-150000.1.9.1
- (no CPE)range: < 0.0.20241030T212825-150000.1.9.1
- (no CPE)range: < 0.0.20241104T154416-5.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-3wwx-63fv-pfq6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47825ghsaADVISORY
- github.com/cilium/cilium/commit/02d28d9ac9afcaddd301fae6fb4d6cda8c2d0c45ghsaWEB
- github.com/cilium/cilium/commit/9c01afb5646af3f0c696421a410dc66c513b6524ghsaWEB
- github.com/cilium/cilium/security/advisories/GHSA-3wwx-63fv-pfq6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.