CVE-2024-52529: 
Cilium vulnerability analysis and mitigation

Cilium, a networking, observability, and security solution with an eBPF-based dataplane, was found to have a vulnerability (CVE-2024-52529) affecting versions 1.16.0 through 1.16.3. The vulnerability was discovered and disclosed on November 25, 2024, impacting Layer 7 policy enforcement when using port range functionality (GitHub Advisory).

The vulnerability occurs in configurations where there is an allow policy that selects a Layer 3 destination and a port range AND a Layer 7 allow policy that selects a specific port within the first policy's range. In such cases, the Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy. This issue specifically affects users who use Cilium's port range functionality, which was introduced in Cilium v1.16. The vulnerability has been assigned a CVSS v3.1 base score of 5.8 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N (GitHub Advisory).

When exploited, the vulnerability allows requests to bypass intended Layer 7 policy restrictions. For example, in a configuration with both Layer 3/4 and Layer 7 policies, requests would be permitted to all HTTP paths on matching endpoints, rather than being restricted to specific paths as intended by the Layer 7 policy (GitHub Advisory).

The issue has been patched in Cilium v1.16.4 through PR #35150. As a workaround, users can rewrite any policies that use port ranges to individually specify the ports permitted for traffic instead of using port ranges. This workaround applies to network policies that match the vulnerable pattern (GitHub Advisory).