ByteOS Network

Vulnerability Details :

CVE-2023-41332

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-26 Sep, 2023 | 20:27

Updated At-23 Sep, 2024 | 20:30

Denial of service via Kubernetes annotations in specific Cilium configurations

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In Cilium clusters where Cilium's Layer 7 proxy has been disabled, creating workloads with `policy.cilium.io/proxy-visibility` annotations (in Cilium >= v1.13) or `io.cilium.proxy-visibility` annotations (in Cilium <= v1.12) causes the Cilium agent to segfault on the node to which the workload is assigned. Existing traffic on the affected node will continue to flow, but the Cilium agent on the node will not able to process changes to workloads running on the node. This will also prevent workloads from being able to start on the affected node. The denial of service will be limited to the node on which the workload is scheduled, however an attacker may be able to schedule workloads on the node of their choosing, which could lead to targeted attacks. This issue has been resolved in Cilium versions 1.14.2, 1.13.7, and 1.12.14. Users unable to upgrade can avoid this denial of service attack by enabling the Layer 7 proxy.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:GitHub_M

Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa

Published At:26 Sep, 2023 | 20:27

Updated At:23 Sep, 2024 | 20:30

▼CVE Numbering Authority (CNA)

Denial of service via Kubernetes annotations in specific Cilium configurations

Affected Products

Vendor

cilium

Product

cilium

Versions

Affected

>= 1.14.0, < 1.14.2
>= 1.13.0, < 1.13.7
< 1.12.14

Problem Types

Type	CWE ID	Description
CWE	CWE-755	CWE-755: Improper Handling of Exceptional Conditions

Type: CWE

CWE ID: CWE-755

Description: CWE-755: Improper Handling of Exceptional Conditions

Metrics

Version	Base score	Base severity	Vector
3.1	3.5	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Version: 3.1

Base score: 3.5

Base severity: LOW

Vector:

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References

Hyperlink	Resource
https://github.com/cilium/cilium/security/advisories/GHSA-24m5-r6hv-ccgp	x_refsource_CONFIRM
https://github.com/cilium/cilium/pull/27597	x_refsource_MISC

Hyperlink: https://github.com/cilium/cilium/security/advisories/GHSA-24m5-r6hv-ccgp

Resource:

x_refsource_CONFIRM

Hyperlink: https://github.com/cilium/cilium/pull/27597

Resource:

x_refsource_MISC

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://github.com/cilium/cilium/security/advisories/GHSA-24m5-r6hv-ccgp	x_refsource_CONFIRM x_transferred
https://github.com/cilium/cilium/pull/27597	x_refsource_MISC x_transferred

Hyperlink: https://github.com/cilium/cilium/security/advisories/GHSA-24m5-r6hv-ccgp

Resource:

x_refsource_CONFIRM

x_transferred

Hyperlink: https://github.com/cilium/cilium/pull/27597

Resource:

x_refsource_MISC

x_transferred

2. CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security-advisories@github.com

Published At:27 Sep, 2023 | 15:19

Updated At:29 Sep, 2023 | 13:56

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	3.5	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Secondary	3.1	3.5	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Type: Primary

Version: 3.1

Base score: 3.5

Base severity: LOW

Vector:

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Type: Secondary

Version: 3.1

Base score: 3.5

Base severity: LOW

Vector:

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CPE Matches

cilium>>cilium>>Versions before 1.12.14(exclusive)

cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*

cilium>>cilium>>Versions from 1.13.0(inclusive) to 1.13.7(exclusive)

cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*

cilium>>cilium>>Versions from 1.14.0(inclusive) to 1.14.2(exclusive)

cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-755	Primary	security-advisories@github.com

CWE ID: CWE-755

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/cilium/cilium/pull/27597	security-advisories@github.com	Exploit Issue Tracking Patch
https://github.com/cilium/cilium/security/advisories/GHSA-24m5-r6hv-ccgp	security-advisories@github.com	Exploit Mitigation Patch Third Party Advisory

Hyperlink: https://github.com/cilium/cilium/pull/27597

Source: security-advisories@github.com

Resource:

Exploit

Issue Tracking

Patch

Hyperlink: https://github.com/cilium/cilium/security/advisories/GHSA-24m5-r6hv-ccgp

Source: security-advisories@github.com

Resource:

Exploit

Mitigation

Patch

Third Party Advisory

Similar CVEs

3Records found

CVE-2023-27595

Matching Score-6

Assigner-GitHub, Inc.

View Details

Matching Score-6

Assigner-GitHub, Inc.

CVSS Score-6.5||MEDIUM

EPSS-0.04% / 11.10%

7 Day CHG~0.00%

Published-17 Mar, 2023 | 21:12

Updated-25 Feb, 2025 | 14:53

Cilium eBPF filters may be temporarily removed during agent restart

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In version 1.13.0, when Cilium is started, there is a short period when Cilium eBPF programs are not attached to the host. During this period, the host does not implement any of Cilium's featureset. This can cause disruption to newly established connections during this period due to the lack of Load Balancing, or can cause Network Policy bypass due to the lack of Network Policy enforcement during the window. This vulnerability impacts any Cilium-managed endpoints on the node (such as Kubernetes Pods), as well as the host network namespace (including Host Firewall). This vulnerability is fixed in Cilium 1.13.1 or later. Cilium releases 1.12.x, 1.11.x, and earlier are not affected. There are no known workarounds.

Vendor-cilium cilium

Product-cilium cilium

CWE ID-CWE-755

Improper Handling of Exceptional Conditions

CVE-2023-28114

Matching Score-6

Assigner-GitHub, Inc.

View Details

Matching Score-6

Assigner-GitHub, Inc.

CVSS Score-4.8||MEDIUM

EPSS-0.03% / 7.27%

7 Day CHG~0.00%

Published-22 Mar, 2023 | 18:30

Updated-25 Feb, 2025 | 14:51

`cilium-cli` disables etcd authorization for clustermesh clusters

`cilium-cli` is the command line interface to install, manage, and troubleshoot Kubernetes clusters running Cilium. Prior to version 0.13.2,`cilium-cli`, when used to configure cluster mesh functionality, can remove the enforcement of user permissions on the `etcd` store used to mirror local cluster information to remote clusters. Users who have set up cluster meshes using the Cilium Helm chart are not affected by this issue. Due to an incorrect mount point specification, the settings specified by the `initContainer` that configures `etcd` users and their permissions are overwritten when using `cilium-cli` to configure a cluster mesh. An attacker who has already gained access to a valid key and certificate for an `etcd` cluster compromised in this manner could then modify state in that `etcd` cluster. This issue is patched in `cilium-cli` 0.13.2. As a workaround, one may use Cilium's Helm charts to create their cluster.

Vendor-cilium cilium

Product-cilium-cli cilium-cli

CWE ID-CWE-280

Improper Handling of Insufficient Permissions or Privileges

CWE ID-CWE-755

Improper Handling of Exceptional Conditions

CVE-2024-52529

Matching Score-6

Assigner-GitHub, Inc.

View Details

Matching Score-6

Assigner-GitHub, Inc.

CVSS Score-5.8||MEDIUM

EPSS-0.03% / 7.41%

7 Day CHG~0.00%

Published-25 Nov, 2024 | 18:49

Updated-26 Nov, 2024 | 14:28

Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in Cilium

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For users with the following configuration: 1. An allow policy that selects a Layer 3 destination and a port range `AND` 2. A Layer 7 allow policy that selects a specific port within the first policy's range the Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy. This issue only affects users who use Cilium's port range functionality, which was introduced in Cilium v1.16. This issue is patched in PR #35150. This issue affects Cilium v1.16 between v1.16.0 and v1.16.3 inclusive. This issue is patched in Cilium v1.16.4. Users are advised to upgrade. Users with network policies that match the pattern described above can work around the issue by rewriting any policies that use port ranges to individually specify the ports permitted for traffic.

Vendor-cilium cilium

Product-cilium cilium

CWE ID-CWE-755

Improper Handling of Exceptional Conditions

CVE-2023-41332

Credits

Denial of service via Kubernetes annotations in specific Cilium configurations

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs