Skip to content

x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-8fg8-jh2h-f2hc #1643

Description

@GoVulnBot

In GitHub Security Advisory GHSA-8fg8-jh2h-f2hc, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/cilium/cilium 1.13.1 >= 1.13.0, < 1.13.1

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/cilium/cilium
    versions:
      - introduced: 1.13.0
        fixed: 1.13.1
    packages:
      - package: github.com/cilium/cilium
  - module: github.com/cilium/cilium
    versions:
      - introduced: 1.12.0
        fixed: 1.12.8
    packages:
      - package: github.com/cilium/cilium
  - module: github.com/cilium/cilium
    versions:
      - fixed: 1.11.15
    packages:
      - package: github.com/cilium/cilium
summary: 'Potential network policy bypass when routing IPv6 traffic '
description: |-
    ## Impact

    Under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which Cilium is running. As a consequence, network policies for that cluster might be bypassed, depending on the specific network policies enabled. Only IPv6 traffic is impacted by this vulnerability.

    This issue only manifests when:
    * Cilium is routing IPv6 traffic, and
    * Kube-proxy is used for service handling, and
    * NodePorts are used to route traffic to pods.

    IPv6 is disabled by default. Cilium's kube-proxy replacement feature is not affected by this vulnerability.

    ## Patches

    The problem has been fixed and is available on versions >=1.11.15, >=1.12.8, >=1.13.1

    ## Workarounds

    Disable IPv6 routing (IPv6 is disabled by default).

    ## Acknowledgements

    The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to Yusuke Suzuki for both highlighting and fixing the issue.

    ## For more information

    If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).

    As usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: security@cilium.io - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority.
cves:
  - CVE-2023-27594
ghsas:
  - GHSA-8fg8-jh2h-f2hc
references:
  - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-8fg8-jh2h-f2hc
  - advisory: https://github.com/advisories/GHSA-8fg8-jh2h-f2hc

Metadata

Metadata

Assignees

Labels

excluded: EFFECTIVELY_PRIVATEThis vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions