CVE-2024-52529: Cilium's Layer 7 policy enforcement may not occur in policies with wildcarded port ranges
(updated )
For users with the following configuration:
- An allow policy that selects a Layer 3 identity and a port range AND
- A Layer 7 allow policy that selects a specific port within the first policy’s range
then Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy.
This issue only affects users who use Cilium’s port range functionality, which was introduced in Cilium v1.16.
For reference, an example of a pair of policies that would trigger this issue is:
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "layer-3-and-4"
spec:
endpointSelector:
matchLabels:
app: service
ingress:
- fromCIDR:
- 192.168.60.0/24
toPorts:
- ports:
- port: "80"
endPort: 444
protocol: TCP
and
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "layer-4-and-7"
spec:
endpointSelector:
matchLabels:
app: service
ingress:
toPorts:
- ports:
- port: "80"
protocol: TCP
rules:
http:
- method: "GET"
path: "/public"
In the above example, requests would be permitted to all HTTP paths on matching endpoints, rather than just GET
requests to the /public
path as intended by the layer-4-and-7
policy. In patched versions of Cilium, the layer-4-and-7
rule would take precedence over the layer-3-and-4
rule.
References
Detect and mitigate CVE-2024-52529 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →