CVE-2024-52529

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For users with the following configuration: 1. An allow policy that selects a Layer 3 destination and a port range `AND` 2. A Layer 7 allow policy that selects a specific port within the first policy's range the Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy. This issue only affects users who use Cilium's port range functionality, which was introduced in Cilium v1.16. This issue is patched in PR #35150. This issue affects Cilium v1.16 between v1.16.0 and v1.16.3 inclusive. This issue is patched in Cilium v1.16.4. Users are advised to upgrade. Users with network policies that match the pattern described above can work around the issue by rewriting any policies that use port ranges to individually specify the ports permitted for traffic.

CVSS v3 5.8 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/cilium/cilium/pull/35150
https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67

Configurations

No configuration.

History

25 Nov 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-25 19:15

Updated : 2024-11-25 19:15

NVD link : CVE-2024-52529

Mitre link : CVE-2024-52529

CVE.ORG link : CVE-2024-52529

JSON object : View

Products Affected

No product.

CWE

CWE-755

Improper Handling of Exceptional Conditions

{"id": "CVE-2024-52529", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-11-25T19:15:11.373", "references": [{"url": "https://github.com/cilium/cilium/pull/35150", "source": "security-advisories@github.com"}, {"url": "https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67", "source": "security-advisories@github.com"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-755"}]}], "descriptions": [{"lang": "en", "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For users with the following configuration: 1. An allow policy that selects a Layer 3 destination and a port range `AND` 2. A Layer 7 allow policy that selects a specific port within the first policy's range the Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy. This issue only affects users who use Cilium's port range functionality, which was introduced in Cilium v1.16. This issue is patched in PR #35150. This issue affects Cilium v1.16 between v1.16.0 and v1.16.3 inclusive. This issue is patched in Cilium v1.16.4. Users are advised to upgrade. Users with network policies that match the pattern described above can work around the issue by rewriting any policies that use port ranges to individually specify the ports permitted for traffic."}, {"lang": "es", "value": "Cilium es una soluci\u00f3n de redes, observabilidad y seguridad con un plano de datos basado en eBPF. Para los usuarios con la siguiente configuraci\u00f3n: 1. Una pol\u00edtica de permiso que selecciona un destino de Capa 3 y un rango de puertos `AND` 2. Una pol\u00edtica de permiso de Capa 7 que selecciona un puerto espec\u00edfico dentro del rango de la primera pol\u00edtica, la aplicaci\u00f3n de Capa 7 no se producir\u00eda para el tr\u00e1fico seleccionado por la pol\u00edtica de Capa 7. Este problema solo afecta a los usuarios que utilizan la funcionalidad de rango de puertos de Cilium, que se introdujo en Cilium v1.16. Este problema est\u00e1 corregido en PR #35150. Este problema afecta a Cilium v1.16 entre v1.16.0 y v1.16.3 inclusive. Este problema est\u00e1 corregido en Cilium v1.16.4. Se recomienda a los usuarios que actualicen. Los usuarios con pol\u00edticas de red que coincidan con el patr\u00f3n descrito anteriormente pueden solucionar el problema reescribiendo cualquier pol\u00edtica que utilice rangos de puertos para especificar individualmente los puertos permitidos para el tr\u00e1fico."}], "lastModified": "2024-11-25T19:15:11.373", "sourceIdentifier": "security-advisories@github.com"}