CVE-2023-27594: 
Cilium vulnerability analysis and mitigation

Cilium, a networking, observability, and security solution with an eBPF-based dataplane, disclosed a vulnerability (CVE-2023-27594) affecting versions prior to 1.11.15, 1.12.8, and 1.13.1. The vulnerability was discovered and disclosed on March 17, 2023. Under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which Cilium is running (GitHub Advisory).

The vulnerability manifests when Cilium is routing IPv6 traffic and NodePorts are used to route traffic to pods. The issue specifically occurs when Cilium is configured with IPv6 routing enabled and Kube-proxy is used for service handling. It's important to note that IPv6 and endpoint routes are both disabled by default. The vulnerability has received a CVSS v3.1 base score of 7.3 HIGH from NVD with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, while GitHub assessed it as MEDIUM with a score of 4.2 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) (NVD).

The vulnerability can lead to network policy bypass, as Cilium incorrectly identifies external traffic as originating from the host running Cilium. This misattribution of source IP addresses could result in the bypass of network policies for the cluster, depending on the specific network policies enabled (GitHub Advisory).

The vulnerability has been patched in Cilium versions 1.11.15, 1.12.8, and 1.13.1. For users unable to upgrade immediately, the recommended workaround is to disable IPv6 routing, which is already disabled by default. The fix was developed with special acknowledgment to Yusuke Suzuki for both identifying and resolving the issue (GitHub Advisory, Cilium Release).