CVE-2024-47825 Information

Description

Cilium is a networking observability and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.16 and 1.15.10 a policy rule denying a prefix that is broader than /32 may be ignored if there is a policy rule referencing a more narrow prefix (CIDRSet or toFQDN) and this narrower policy rule specifies either enableDefaultDeny: false or - toEntities: all. Note that a rule specifying toEntities: world or toEntities: 0.0.0.0/0 is insufficient it must be to entity all.This issue has been patched in Cilium v1.14.16 and v1.15.10. As this issue only affects policies using enableDefaultDeny: false or that set toEntities to all some workarounds are available. For users with policies using enableDefaultDeny: false remove this configuration option and explicitly define any allow rules required. For users with egress policies that explicitly specify toEntities: all use toEntities: world.

Reference

https://github.com/cilium/cilium/security/advisories/GHSA-3wwx-63fv-pfq6