CVE-2024-25630: 
Cilium vulnerability analysis and mitigation

CVE-2024-25630 affects Cilium, a networking, observability, and security solution with an eBPF-based dataplane. The vulnerability impacts users who are using CRDs (the default configuration) and WireGuard transparent encryption, where traffic to/from the Ingress and health endpoints is not encrypted. This issue was discovered in Cilium v1.14 versions before v1.14.7 and has been patched in version 1.14.7 (GitHub Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N. The issue specifically affects the WireGuard transparent encryption implementation, where responses from pods to the Ingress and health endpoints remain unencrypted. The health endpoint is used only for Cilium's internal health checks. The vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information) and CWE-311 (Missing Encryption of Sensitive Data) (NVD, GitHub Advisory).

The primary impact of this vulnerability is that traffic between pods and Ingress/health endpoints remains unencrypted when using WireGuard transparent encryption. This affects the confidentiality of the data in transit, particularly for responses from pods to these endpoints. However, it's important to note that traffic from the Ingress and health endpoints to pods is not affected by this issue (GitHub Advisory).

There is no workaround available for this vulnerability. The only recommended mitigation is to upgrade to Cilium version 1.14.7 or later, which contains the patch for this issue. The fix was implemented with contributions from the Cilium community working together with members of Isovalent (GitHub Advisory, GitHub Release).