cvelistv5 - cve-2024-52529

cve-2024-52529

Vulnerability from cvelistv5

Published

2024-11-25 18:49

Modified

2024-11-26 14:28

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Summary

Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in Cilium

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/cilium/cilium/pull/35150
	security-advisories@github.com	https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67

Impacted products

Vendor

Product

Version

▼

cilium

Version: >= 1.16.0, < 1.16.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "cilium",
            "vendor": "cilium",
            "versions": [
              {
                "lessThan": "1.16.4",
                "status": "affected",
                "version": "1.16.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52529",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-26T14:27:46.184253Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-26T14:28:59.941Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cilium",
          "vendor": "cilium",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.16.0, \u003c 1.16.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For users with the following configuration: 1. An allow policy that selects a Layer 3 destination and a port range `AND` 2. A Layer 7 allow policy that selects a specific port within the first policy\u0027s range the Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy. This issue only affects users who use Cilium\u0027s port range functionality, which was introduced in Cilium v1.16. This issue is patched in PR #35150. This issue affects Cilium v1.16 between v1.16.0 and v1.16.3 inclusive. This issue is patched in Cilium v1.16.4. Users are advised to upgrade. Users with network policies that match the pattern described above can work around the issue by rewriting any policies that use port ranges to individually specify the ports permitted for traffic."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-755",
              "description": "CWE-755: Improper Handling of Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-25T18:49:15.616Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67"
        },
        {
          "name": "https://github.com/cilium/cilium/pull/35150",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cilium/cilium/pull/35150"
        }
      ],
      "source": {
        "advisory": "GHSA-xg58-75qf-9r67",
        "discovery": "UNKNOWN"
      },
      "title": "Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in Cilium"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-52529",
    "datePublished": "2024-11-25T18:49:15.616Z",
    "dateReserved": "2024-11-11T18:49:23.561Z",
    "dateUpdated": "2024-11-26T14:28:59.941Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-52529\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-25T19:15:11.373\",\"lastModified\":\"2024-11-25T19:15:11.373\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For users with the following configuration: 1. An allow policy that selects a Layer 3 destination and a port range `AND` 2. A Layer 7 allow policy that selects a specific port within the first policy\u0027s range the Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy. This issue only affects users who use Cilium\u0027s port range functionality, which was introduced in Cilium v1.16. This issue is patched in PR #35150. This issue affects Cilium v1.16 between v1.16.0 and v1.16.3 inclusive. This issue is patched in Cilium v1.16.4. Users are advised to upgrade. Users with network policies that match the pattern described above can work around the issue by rewriting any policies that use port ranges to individually specify the ports permitted for traffic.\"},{\"lang\":\"es\",\"value\":\"Cilium es una soluci\u00f3n de redes, observabilidad y seguridad con un plano de datos basado en eBPF. Para los usuarios con la siguiente configuraci\u00f3n: 1. Una pol\u00edtica de permiso que selecciona un destino de Capa 3 y un rango de puertos `AND` 2. Una pol\u00edtica de permiso de Capa 7 que selecciona un puerto espec\u00edfico dentro del rango de la primera pol\u00edtica, la aplicaci\u00f3n de Capa 7 no se producir\u00eda para el tr\u00e1fico seleccionado por la pol\u00edtica de Capa 7. Este problema solo afecta a los usuarios que utilizan la funcionalidad de rango de puertos de Cilium, que se introdujo en Cilium v1.16. Este problema est\u00e1 corregido en PR #35150. Este problema afecta a Cilium v1.16 entre v1.16.0 y v1.16.3 inclusive. Este problema est\u00e1 corregido en Cilium v1.16.4. Se recomienda a los usuarios que actualicen. Los usuarios con pol\u00edticas de red que coincidan con el patr\u00f3n descrito anteriormente pueden solucionar el problema reescribiendo cualquier pol\u00edtica que utilice rangos de puertos para especificar individualmente los puertos permitidos para el tr\u00e1fico.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":5.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-755\"}]}],\"references\":[{\"url\":\"https://github.com/cilium/cilium/pull/35150\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

ghsa-xg58-75qf-9r67

Vulnerability from github

Published

2024-11-25 19:35

Modified

2024-12-04 16:22

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Summary

Cilium's Layer 7 policy enforcement may not occur in policies with wildcarded port ranges

Details

Impact

For users with the following configuration:

An allow policy that selects a Layer 3 identity and a port range AND
A Layer 7 allow policy that selects a specific port within the first policy's range

then Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy.

This issue only affects users who use Cilium's port range functionality, which was introduced in Cilium v1.16.

For reference, an example of a pair of policies that would trigger this issue is:

apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "layer-3-and-4" spec: endpointSelector: matchLabels: app: service ingress: - fromCIDR: - 192.168.60.0/24 toPorts: - ports: - port: "80" endPort: 444 protocol: TCP and apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "layer-4-and-7" spec: endpointSelector: matchLabels: app: service ingress: toPorts: - ports: - port: "80" protocol: TCP rules: http: - method: "GET" path: "/public"

In the above example, requests would be permitted to all HTTP paths on matching endpoints, rather than just GET requests to the /public path as intended by the layer-4-and-7 policy. In patched versions of Cilium, the layer-4-and-7 rule would take precedence over the layer-3-and-4 rule.

Patches

This issue is patched in https://github.com/cilium/cilium/pull/35150.

This issue affects Cilium v1.16 between v1.16.0 and v1.16.3 inclusive.

This issue is patched in Cilium v1.16.4.

Workarounds

Users with network policies that match the pattern described above can work around the issue by rewriting any policies that use port ranges to individually specify the ports permitted for traffic.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @jrajahalme for resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Show details on source website