Skip to content

x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-c66w-hq56-4q97 #393

Description

@GoVulnBot

In GitHub Security Advisory GHSA-c66w-hq56-4q97, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/cilium/cilium 1.9.5 >= 1.9.0, <= 1.9.4

See doc/triage.md for instructions on how to triage this report.

package: github.com/cilium/cilium
additional_packages:
  - package: github.com/cilium/cilium
    versions:
      - introduced: TODO (earliest fixed "1.8.8", vuln range ">= 1.8.3, <= 1.8.7")
  - package: github.com/cilium/cilium
    versions:
      - introduced: TODO (earliest fixed "1.7.15", vuln range ">= 1.7.8, <= 1.7.14")
versions:
  - introduced: TODO (earliest fixed "1.9.5", vuln range ">= 1.9.0, <= 1.9.4")
description: "## Impact\n\nUnder certain conditions, ICMP Echo Request sent to a Cilium
    endpoint from an actor may bypass a network policy which _disallows_ access from
    the actor to the endpoint, but _allows_ from the endpoint to the actor. This does
    _NOT_ apply to UDP and TCP traffic.\n\nThe actor is either a pod or a cluster
    host or a remote host.\n\nThe following conditions must be met:\n1. Network policies
    have been created which:\n  a) do not allow access from the actor to the endpoint;\n
    \ b) allow access from the endpoint to the actor and does not specify neither
    protocol nor port. \n2. The endpoint has sent ICMP Echo Request to the actor with
    the ICMP identifier X.\n3. The actor sends ICMP Echo Request to the endpoint with
    the same ICMP identifier X.\n4. The request from the actor (3.) is sent before
    the Cilium's conntrack GC has removed the previously created conntrack entry (2.).\n\n##
    Detailed description\n\nSee https://github.com/cilium/cilium/commit/dfb008a9099c4da1e0fd964c899c43ee13280b0e
    (v1.9.x), https://github.com/cilium/cilium/commit/ff6ebae6efca1bd991302b464dea428512823e79
    (v1.8.x), https://github.com/cilium/cilium/commit/472bbeff75161979c317ab21d563f826291b5f37
    (v1.7.x).\n\n## Example\n\n```\n$ kubectl run server --image=quay.io/cilium/net-test:v1.0.0
    --restart=Never -- sleep 3600\n$ kubectl run client --image=quay.io/cilium/net-test:v1.0.0
    --restart=Never -- sleep 3600\n$ cat <<EOF | kubectl apply -f\napiVersion: networking.k8s.io/v1\nkind:
    NetworkPolicy\nmetadata:\n  name: server-netpol # allow client->server\nspec:\n
    \ podSelector:\n    matchLabels:\n      run: server\n  ingress:\n  - from:\n    -
    podSelector:\n        matchLabels:\n          run: client\n  policyTypes:\n  -
    Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n
    \ name: client-netpol # deny any->client\nspec:\n  podSelector:\n    matchLabels:\n
    \     run: client\n  policyTypes:\n  - Ingress\nEOF\n\n$ kubectl exec -ti server
    -- xping -c1 -x666 $CLIENT_POD_IP\nPING 10.154.0.50 (10.154.0.50): 56 data bytes\n^C\n---
    10.154.0.50 ping statistics ---\n1 packets transmitted, 0 packets received, 100%
    packet loss   <--- \"client-netpol\" policy denied\ncommand terminated with exit
    code 1\n\n$ kubectl exec -ti client -- xping -c1 -x666 $SERVER_POD_IP\nPING 10.154.1.16
    (10.154.1.16): 56 data bytes\n64 bytes from 10.154.1.16: seq=0 ttl=60 time=0.822
    ms\n\n--- 10.154.1.16 ping statistics ---\n1 packets transmitted, 1 packets received,
    0% packet loss   <--- \"server-netpol\" policy allowed\nround-trip min/avg/max
    = 0.822/0.822/0.822 ms\n\n$ kubectl exec -ti server -- xping -c1 -x666 $CLIENT_POD_IP\nPING
    10.154.0.50 (10.154.0.50): 56 data bytes\n64 bytes from 10.154.0.50: seq=0 ttl=60
    time=0.527 ms\n\n--- 10.154.0.50 ping statistics ---\n1 packets transmitted, 1
    packets received, 0% packet loss   <--- \"client-netpol\" policy bypassed\nround-trip
    min/avg/max = 0.527/0.527/0.527 ms\n```\n\n## For more information\n\nIf you have
    any questions or comments about this advisory:\n\n- Open an issue in [Cilium Issues](https://github.com/cilium/cilium/issues)\n-
    Email us at security@cilium.io"
published: 2021-05-21T14:32:37Z
last_modified: 2021-05-21T14:32:37Z
ghsas:
  - GHSA-c66w-hq56-4q97

Metadata

Metadata

Assignees

No one assigned

    Labels

    excluded: EFFECTIVELY_PRIVATEThis vulnerability exists in a package can be imported, but isn't meant to be outside that module.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions