CVE-2023-41332: 
Cilium vulnerability analysis and mitigation

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. The vulnerability (CVE-2023-41332) was discovered in versions prior to 1.14.2, 1.13.7, and 1.12.14. In affected Cilium clusters where the Layer 7 proxy has been disabled, creating workloads with specific proxy-visibility annotations causes the Cilium agent to segfault on the node to which the workload is assigned (GitHub Advisory).

The vulnerability occurs when workloads are created with 'policy.cilium.io/proxy-visibility' annotations (in Cilium >= v1.13) or 'io.cilium.proxy-visibility' annotations (in Cilium <= v1.12) in clusters where Cilium's Layer 7 proxy is disabled. This triggers a segmentation fault in the Cilium agent on the affected node. The issue has been assigned a CVSS v3.1 base score of 3.5 (Low) with vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (NVD).

When exploited, existing traffic on the affected node continues to flow, but the Cilium agent becomes unable to process changes to workloads running on the node. This prevents new workloads from starting on the affected node. While the denial of service is limited to the node where the workload is scheduled, an attacker could potentially schedule workloads on specific nodes for targeted attacks (GitHub Advisory).

The vulnerability has been patched in Cilium versions 1.14.2, 1.13.7, and 1.12.14. Users who cannot immediately upgrade can avoid this denial of service attack by enabling the Layer 7 proxy as a workaround (GitHub Advisory).

The Cilium community worked together with members of Acorn Labs and Isovalent to prepare the mitigations. Special acknowledgment was given to g-linville for identifying the issue and sayboras for developing the fix (GitHub Advisory).