GHSA-g8fc-vrcg-8vjg: 
vulnerability analysis and mitigation

A high-severity vulnerability was discovered in Constellation (GHSA-g8fc-vrcg-8vjg) affecting versions prior to 2.16.3. The vulnerability was published on April 15, 2024, and updated on June 4, 2024. The issue allows outside actors within the cloud VPC to directly access pods using their internal pod IP, even when these pods are not explicitly exposed through services like LoadBalancer (GitHub Advisory).

The vulnerability stems from Cilium's configuration that permits the 'world' entity to access pods directly through their internal pod IP addresses. This particularly affects pods that lack proper client authentication mechanisms and don't have specific network policies to exclude world traffic. The issue has been classified with CWE-940 and received a High severity rating (GitHub Advisory).

The vulnerability can lead to sensitive data leakage from pods that don't authenticate clients or lack proper network policies. Any attacker positioned within the cloud VPC can potentially access these vulnerable pods directly, even when they're not meant to be externally accessible (GitHub Advisory).

The vulnerability has been patched in Constellation version 2.16.3. As a workaround, administrators can implement a CiliumClusterwideNetworkPolicy that excludes all world traffic. While this approach blocks all external traffic, including legitimate requests, more specific policies can be crafted to protect only vulnerable pods. The policy can be implemented using the Cilium network policy specification that denies ingress from world entities (GitHub Advisory, Cilium Issue).