GHSA-G8FC-VRCG-8VJG

Vulnerability from github – Published: 2024-04-15 18:13 – Updated: 2024-06-04 19:35
VLAI
Summary
Constallation has pods exposed to peers in VPC
Details

Impact

Cilium allows outside actors (world entity) to directly access pods with their internal pod IP, even if they are not exposed explicitly (e.g. via LoadBalancer). A pod that does not authenticate clients and that does not exclude world traffic via network policy may leak sensitive data to an attacker inside the cloud VPC.

Patches

The issue has been patched in v2.16.3.

Workarounds

This network policy excludes all world traffic. It mitigates the problem, but will also block all desired external traffic. If vulnerable pods are known, a policy can be crafted to only firewall those instead (see also https://docs.cilium.io/en/stable/security/policy/language/#access-to-from-outside-cluster).

apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: "from-world-to-role-public"
spec:
  endpointSelector:
    matchLabels: {}
    #  role: public
  ingressDeny:
    - fromEntities:
      - world

References

The tracking bug for a Cilium-side fix is https://github.com/cilium/cilium/issues/25626.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/edgelesssys/constellation/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.16.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-940"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-15T18:13:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nCilium allows outside actors (`world` entity) to directly access pods with their internal pod IP, even if they are not exposed explicitly (e.g. via `LoadBalancer`). A pod that does not authenticate clients and that does not exclude `world` traffic via network policy may leak sensitive data to an attacker _inside the cloud VPC_.\n\n### Patches\n\nThe issue has been patched in [v2.16.3](https://github.com/edgelesssys/constellation/releases/tag/v2.16.3).\n\n### Workarounds\n\nThis network policy excludes all `world` traffic. It mitigates the problem, but will also block all desired external traffic. If vulnerable pods are known, a policy can be crafted to only firewall those instead (see also https://docs.cilium.io/en/stable/security/policy/language/#access-to-from-outside-cluster).\n\n```yaml\napiVersion: \"cilium.io/v2\"\nkind: CiliumClusterwideNetworkPolicy\nmetadata:\n  name: \"from-world-to-role-public\"\nspec:\n  endpointSelector:\n    matchLabels: {}\n    #  role: public\n  ingressDeny:\n    - fromEntities:\n      - world\n```\n\n### References\n\nThe tracking bug for a Cilium-side fix is https://github.com/cilium/cilium/issues/25626. \n",
  "id": "GHSA-g8fc-vrcg-8vjg",
  "modified": "2024-06-04T19:35:51Z",
  "published": "2024-04-15T18:13:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/constellation/security/advisories/GHSA-g8fc-vrcg-8vjg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/issues/25626"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/edgelesssys/constellation"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-2727"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Constallation has pods exposed to peers in VPC"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…