CVE-2024-52529: Cilium's Layer 7 policy enforcement may not occur in policies with wildcarded port ranges

For users with the following configuration:

• An allow policy that selects a Layer 3 identity and a port range AND
• A Layer 7 allow policy that selects a specific port within the first policy’s range

then Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy.

This issue only affects users who use Cilium’s port range functionality, which was introduced in Cilium v1.16.

For reference, an example of a pair of policies that would trigger this issue is:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "layer-3-and-4"
spec:
endpointSelector:
matchLabels:
app: service
ingress:
- fromCIDR:
- 192.168.60.0/24
toPorts:
- ports:
- port: "80"
endPort: 444
protocol: TCP

and

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "layer-4-and-7"
spec:
endpointSelector:
matchLabels:
app: service
ingress:
toPorts:
- ports:
- port: "80"
protocol: TCP
rules:
http:
- method: "GET"
path: "/public"

In the above example, requests would be permitted to all HTTP paths on matching endpoints, rather than just GET requests to the /public path as intended by the layer-4-and-7 policy. In patched versions of Cilium, the layer-4-and-7 rule would take precedence over the layer-3-and-4 rule.