CVE-2023-41333: 
Cilium vulnerability analysis and mitigation

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. A vulnerability was discovered where an attacker with the ability to create or modify CiliumNetworkPolicy objects in a particular namespace could affect traffic on an entire Cilium cluster, potentially bypassing policy enforcement in other namespaces. The vulnerability was disclosed on September 26, 2023 and affects Cilium versions <=1.14.1, <=1.13.6, and <=1.12.13 (GitHub Advisory).

The vulnerability allows attackers to bypass namespace restrictions by using a crafted endpointSelector that uses the DoesNotExist operator on the reserved:init label in CiliumNetworkPolicies. This crafted configuration enables the creation of policies that bypass namespace restrictions and affect the entire Cilium cluster. The vulnerability has been assigned a CVSS v3.1 base score of 6.9 (Medium) with vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H. The issue has been classified as CWE-306 (Missing Authentication for Critical Function) (NVD).

The vulnerability allows an attacker to potentially allow or deny all traffic across the entire Cilium cluster, bypassing namespace-level policy enforcement. This could lead to unauthorized access and potential disruption of network communications between workloads in different namespaces (GitHub Advisory).

The vulnerability has been patched in Cilium versions 1.14.2, 1.13.7, and 1.12.14. As a workaround, users can implement an admission webhook to prevent the use of endpointSelectors that use the DoesNotExist operator on the reserved:init label in CiliumNetworkPolicies. The fix was implemented through PR #28007 which restricts configuring reserved:init policy via CNP (GitHub PR).