GMS-2022-3726: Network Policies & (Clusterwide) Cilium Network Policies with namespace label selectors may unexpectedly select pods with maliciously crafted labels

August 30, 2022

If a user has Network Policies with namespace selectors selecting labels of namespaces, or (clusterwide) Cilium Network Policies matching on namespace labels, then it is possible for an attacker with Kubernetes pod deploy rights (either directly or indirectly via higher-level APIs such as Deployment, Daemonset etc) to craft additional pod labels such that the pod is selected by another policy that exists rather than the expected policy.

References

github.com/advisories/GHSA-pfhr-pccp-hwmh
github.com/cilium/cilium/releases/tag/v1.10.14
github.com/cilium/cilium/releases/tag/v1.11.8
github.com/cilium/cilium/releases/tag/v1.12.1
github.com/cilium/cilium/security/advisories/GHSA-pfhr-pccp-hwmh

Code Behaviors & Features

Detect and mitigate GMS-2022-3726 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →