GMS-2022-2927: Cilium host policy bypass in endpoint-routes mode with dual-stack

July 15, 2022 (updated July 20, 2022)

This vulnerability allows bypassing host policies for IPv6 traffic coming from a Cilium-managed pod and destined to the host-network namespace (e.g., to a host-network pod). Host policy enforcement on IPv4 or for traffic coming from outside the node is not affected. Cilium is only affected by this vulnerability if IPv4, IPv6, endpoint routes, and the host firewall are enabled. Note that endpoint routes are typically only enabled in GKE, EKS, AKS, and OpenShift; in those environments, IPv6 is typically disabled. Host firewall is disabled by default.

References

github.com/advisories/GHSA-wc5v-r48v-g4vh
github.com/cilium/cilium/commit/c758da7e9d19cd19b96dc90424c0b5ec7409cd0a
github.com/cilium/cilium/security/advisories/GHSA-wc5v-r48v-g4vh

Code Behaviors & Features

Detect and mitigate GMS-2022-2927 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →