CVE-2024-28249: 
Cilium vulnerability analysis and mitigation

Cilium, a networking, observability, and security solution with an eBPF-based dataplane, has been found to have a vulnerability (CVE-2024-28249) affecting versions prior to 1.13.13, 1.14.8, and 1.15.2. The vulnerability was disclosed on March 18, 2024, and involves unencrypted traffic transmission in specific configurations (NVD, GitHub Advisory).

In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, two types of traffic that should be encrypted are transmitted unencrypted: traffic between a node's Envoy proxy and pods on other nodes, and traffic between a node's DNS proxy and pods on other nodes. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating adjacent network attack vector, high attack complexity, no privileges required, and potential for high confidentiality impact (GitHub Advisory).

The primary impact of this vulnerability is the potential exposure of sensitive data that should be encrypted during transmission between nodes. For clusters running in native routing mode, IPsec encryption is not applied to connections selected by L7 Egress Network Policy or DNS Policy, which remains a known limitation even after patching (GitHub Advisory).

The vulnerability has been patched in Cilium versions 1.15.2, 1.14.8, and 1.13.13. Users are advised to upgrade to these versions or later as there are no known workarounds for this issue. The fix includes significant changes to the IPsec stack, particularly for connections selected by L7 Network Policy or DNS Policy (GitHub Release 1.15.2, GitHub Release 1.14.8, GitHub Release 1.13.13).

The Cilium community worked together with members of Isovalent to prepare the mitigations. Special acknowledgment was given to several contributors including @jschwinger233, @julianwiedmann, @giorio94, and @jrajahalme for their work in triaging and resolving this issue (GitHub Advisory).