modules:
- module: github.com/cilium/cilium
versions:
- introduced: 1.13.0
fixed: 1.13.1
packages:
- package: github.com/cilium/cilium
- module: github.com/cilium/cilium
versions:
- introduced: 1.12.0
fixed: 1.12.8
packages:
- package: github.com/cilium/cilium
- module: github.com/cilium/cilium
versions:
- fixed: 1.11.15
packages:
- package: github.com/cilium/cilium
summary: 'Potential network policy bypass when routing IPv6 traffic '
description: |-
## Impact
Under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which Cilium is running. As a consequence, network policies for that cluster might be bypassed, depending on the specific network policies enabled. Only IPv6 traffic is impacted by this vulnerability.
This issue only manifests when:
* Cilium is routing IPv6 traffic, and
* Kube-proxy is used for service handling, and
* NodePorts are used to route traffic to pods.
IPv6 is disabled by default. Cilium's kube-proxy replacement feature is not affected by this vulnerability.
## Patches
The problem has been fixed and is available on versions >=1.11.15, >=1.12.8, >=1.13.1
## Workarounds
Disable IPv6 routing (IPv6 is disabled by default).
## Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to Yusuke Suzuki for both highlighting and fixing the issue.
## For more information
If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).
As usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: security@cilium.io - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority.
cves:
- CVE-2023-27594
ghsas:
- GHSA-8fg8-jh2h-f2hc
references:
- advisory: https://github.com/cilium/cilium/security/advisories/GHSA-8fg8-jh2h-f2hc
- advisory: https://github.com/advisories/GHSA-8fg8-jh2h-f2hc
In GitHub Security Advisory GHSA-8fg8-jh2h-f2hc, there is a vulnerability in the following Go packages or modules:
Cross references:
See doc/triage.md for instructions on how to triage this report.