CVE-2024-47825: 
Cilium vulnerability analysis and mitigation

Cilium, a networking, observability, and security solution with an eBPF-based dataplane, contains a vulnerability (CVE-2024-47825) that affects versions starting from 1.14.0 and prior to versions 1.14.16 and 1.15.10. The vulnerability allows policy rules denying a broader prefix to be ignored under specific conditions, potentially leading to unauthorized network access (GitHub Advisory, NVD).

The vulnerability occurs when a policy rule denying a prefix broader than /32 exists alongside a policy rule referencing a more narrow prefix (CIDRSet or toFQDN). The denial can be bypassed if the narrower policy rule specifies either enableDefaultDeny: false or - toEntities: all. It's important to note that a rule specifying toEntities: world or toEntities: 0.0.0.0/0 is not sufficient to trigger the vulnerability - it must specifically be to entity all. The vulnerability has been assigned a CVSS v3.1 base score of 4.0 MEDIUM by GitHub, while NVD rates it as 8.7 HIGH (GitHub Advisory, NVD).

The vulnerability can result in traffic being allowed to destinations that should be denied by broader CIDR deny rules. For example, if a policy denies traffic to 1.0.0.0/8 but a more specific rule allows traffic to 1.1.1.2/32 with the vulnerable configurations, the traffic to 1.1.1.2 would be incorrectly allowed (GitHub Advisory).

The issue has been patched in Cilium versions 1.14.16 and 1.15.10. For users unable to upgrade immediately, two workarounds are available: 1) Users with policies using enableDefaultDeny: false can remove this configuration option and explicitly define any allow rules required, 2) For users with egress policies that explicitly specify toEntities: all, they should use toEntities: world instead (GitHub Advisory).

The Cilium community worked together with members of Isovalent to prepare the mitigations. Special acknowledgment was given to @squeed, @christarazi, and @jrajahalme for their work in triaging and resolving this issue (GitHub Advisory).