cvelistv5 - cve-2024-42487

cve-2024-42487

Vulnerability from cvelistv5

Published

2024-08-15 20:26

Modified

2024-08-15 20:46

Severity ?

4.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Summary

Cilium's Gateway API route matching order contradicts specification

References

URL	Tags
security-advisories@github.com	https://github.com/cilium/cilium/commit/a3510fe4a92305822aa1a5e08cb6d6c873c8699a	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/cilium/cilium/pull/34109	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww	Vendor Advisory

Impacted products

Vendor

Product

Version

▼

cilium

Version: = 1.16.0
Version: >= 1.15.0, < 1.15.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-42487",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-15T20:46:25.530673Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-15T20:46:34.910Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cilium",
          "vendor": "cilium",
          "versions": [
            {
              "status": "affected",
              "version": "= 1.16.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.15.0, \u003c 1.15.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched. This could result in unexpected behaviour with security This issue is fixed in Cilium v1.15.8 and v1.16.1. There is no workaround for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-113",
              "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-15T20:26:53.455Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww"
        },
        {
          "name": "https://github.com/cilium/cilium/pull/34109",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cilium/cilium/pull/34109"
        },
        {
          "name": "https://github.com/cilium/cilium/commit/a3510fe4a92305822aa1a5e08cb6d6c873c8699a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cilium/cilium/commit/a3510fe4a92305822aa1a5e08cb6d6c873c8699a"
        }
      ],
      "source": {
        "advisory": "GHSA-qcm3-7879-xcww",
        "discovery": "UNKNOWN"
      },
      "title": "Cilium\u0027s Gateway API route matching order contradicts specification"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-42487",
    "datePublished": "2024-08-15T20:26:53.455Z",
    "dateReserved": "2024-08-02T14:13:04.617Z",
    "dateUpdated": "2024-08-15T20:46:34.910Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-42487\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-08-15T21:15:16.997\",\"lastModified\":\"2024-09-30T18:31:04.757\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched. This could result in unexpected behaviour with security This issue is fixed in Cilium v1.15.8 and v1.16.1. There is no workaround for this issue.\"},{\"lang\":\"es\",\"value\":\"Cilium es una soluci\u00f3n de redes, observabilidad y seguridad con un plano de datos basado en eBPF. En la rama 1.15 anterior a 1.15.8 y en la rama 1.16 anterior a 1.16.1, las HTTPRoutes y GRPCRoutes de la API de puerta de enlace no siguen la precedencia de coincidencia especificada en la especificaci\u00f3n de la API de puerta de enlace. En particular, los encabezados de solicitud coinciden antes que los m\u00e9todos de solicitud, cuando la especificaci\u00f3n describe que los m\u00e9todos de solicitud deben respetarse antes de que coincidan los encabezados. Esto podr\u00eda provocar un comportamiento inesperado con la seguridad. Este problema se solucion\u00f3 en Cilium v1.15.8 y v1.16.1. No existe ninguna soluci\u00f3n para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":4.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-113\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-436\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.15.0\",\"versionEndExcluding\":\"1.15.8\",\"matchCriteriaId\":\"A0C8F90D-07B3-4666-8C22-089A2DA27A03\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cilium:cilium:1.16.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DD19FEA3-61F3-4F12-8833-045918EEED05\"}]}]}],\"references\":[{\"url\":\"https://github.com/cilium/cilium/commit/a3510fe4a92305822aa1a5e08cb6d6c873c8699a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/cilium/cilium/pull/34109\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

ghsa-qcm3-7879-xcww

Vulnerability from github

Published

2024-08-15 21:46

Modified

2024-09-30 19:48

Severity ?

4.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Summary

Gateway API route matching order contradicts specification

Details

Impact

Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched (HTTPRouteRule, GRPCRouteRule).

If users create Gateway API resources that use both request headers and request methods in order to route to different destinations, then traffic may be delivered to the incorrect backend. If the backend does not have Network Policy restricting acceptable traffic to receive, then requests may access information that you did not intend for them to access.

Patches

This issue was fixed in https://github.com/cilium/cilium/pull/34109.

This issue affects: - Cilium v1.15 between v1.15.0 and v1.15.7 inclusive - Cilium v1.16.0

This issue is fixed in: - Cilium v1.15.8 - Cilium v1.16.1

Workarounds

There is no workaround for this issue.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @sayboras for remediating this issue.

Further information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Show details on source website