GHSA-wc5v-r48v-g4vh: 
vulnerability analysis and mitigation

A host policy bypass vulnerability was discovered in Cilium (GHSA-wc5v-r48v-g4vh) affecting versions <=1.10.12 and <=1.11.6. The vulnerability was published on July 15, 2022, and allows bypassing host policies specifically for IPv6 traffic originating from Cilium-managed pods and destined for the host-network namespace. The vulnerability only affects systems where IPv4, IPv6, endpoint routes, and host firewall are simultaneously enabled (GitHub Advisory).

The vulnerability stems from a typo in the host firewall tail call that can lead to executing IPv6 code for IPv4 packets when enforcing host policies for traffic from local pods. The issue occurs specifically when IPv4, IPv6, and endpoint routes are all enabled. The vulnerability has been assigned a CVSS score of 3.3 (Low severity) with the following metrics: Attack Vector: Local, Attack Complexity: Low, Privileges Required: Low, User Interaction: None, Scope: Unchanged, Confidentiality: None, Integrity: None, and Availability: Low (GitHub Advisory).

The vulnerability's primary impact is the potential bypass of host policies for IPv6 traffic originating from Cilium-managed pods when communicating with the host-network namespace, such as host-network pods. It's worth noting that host policy enforcement on IPv4 traffic or traffic originating from outside the node remains unaffected. The vulnerability's impact is considered limited as endpoint routes are typically only enabled in specific environments like GKE, EKS, AKS, and OpenShift, where IPv6 is usually disabled, and host firewall is disabled by default (GitHub Advisory).

The vulnerability has been patched in Cilium versions v1.10.13 and v1.11.7. For users unable to upgrade immediately, a recommended workaround is to configure network policies for all pods that prevent them from sending arbitrary traffic to the local node. The fix was implemented through a commit addressing the typo in the host firewall tail call (GitHub Advisory, Cilium Commit).