CVE-2024-25631: 
Cilium vulnerability analysis and mitigation

Cilium, a networking, observability, and security solution with an eBPF-based dataplane, disclosed a vulnerability (CVE-2024-25631) affecting versions v1.14.0 to v1.14.7. The vulnerability impacts users who have enabled both an external kvstore and WireGuard transparent encryption, resulting in unencrypted traffic between pods in the affected cluster (Cilium Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N. This indicates that the vulnerability requires an adjacent network attack vector with high attack complexity, needs no privileges or user interaction, has changed scope, and can result in high confidentiality impact without affecting integrity or availability (NVD).

When exploited, the vulnerability results in pod-to-pod traffic being transmitted without encryption, despite WireGuard encryption being enabled. This compromises the confidentiality of inter-pod communications in affected clusters, potentially exposing sensitive data transmitted between pods (Cilium Advisory).

The vulnerability has been patched in Cilium version 1.14.7. There are no workarounds available, and affected users are strongly encouraged to upgrade to the patched version. The fix addresses the encryption issue for pod-to-pod traffic when using WireGuard with an external kvstore (Cilium Release).

The Cilium community worked together with members of Isovalent to prepare the mitigations. Special acknowledgment was given to contributors giorio94 and gandro for their work on triaging and remediating this issue (Cilium Advisory).