Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2023-27595 #1649

Closed
GoVulnBot opened this issue Mar 17, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2023-27595 #1649

GoVulnBot opened this issue Mar 17, 2023 · 1 comment
Assignees
@neild
Labels
duplicate

Comments

@GoVulnBot
Copy link

CVE-2023-27595 references github.com/cilium/cilium, which may be a Go module.

Description:
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In version 1.13.0, when Cilium is started, there is a short period when Cilium eBPF programs are not attached to the host. During this period, the host does not implement any of Cilium's featureset. This can cause disruption to newly established connections during this period due to the lack of Load Balancing, or can cause Network Policy bypass due to the lack of Network Policy enforcement during the window. This vulnerability impacts any Cilium-managed endpoints on the node (such as Kubernetes Pods), as well as the host network namespace (including Host Firewall). This vulnerability is fixed in Cilium 1.13.1 or later. Cilium releases 1.12.x, 1.11.x, and earlier are not affected. There are no known workarounds.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/cilium/cilium
    packages:
      - package: cilium
description: |
    Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In version 1.13.0, when Cilium is started, there is a short period when Cilium eBPF programs are not attached to the host. During this period, the host does not implement any of Cilium's featureset. This can cause disruption to newly established connections during this period due to the lack of Load Balancing, or can cause Network Policy bypass due to the lack of Network Policy enforcement during the window. This vulnerability impacts any Cilium-managed endpoints on the node (such as Kubernetes Pods), as well as the host network namespace (including Host Firewall). This vulnerability is fixed in Cilium 1.13.1 or later. Cilium releases 1.12.x, 1.11.x, and earlier are not affected. There are no known workarounds.
cves:
  - CVE-2023-27595
references:
  - web: https://github.com/cilium/cilium/releases/tag/v1.13.1
  - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-r5x6-w42p-jhpp
  - fix: https://github.com/cilium/cilium/pull/24336
@neild neild self-assigned this Mar 21, 2023
@neild neild added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Mar 21, 2023
@jba jba added duplicate and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels Mar 21, 2023
@jba
Copy link
Contributor

jba commented Mar 21, 2023

Duplicate of #1644

@jba jba marked this as a duplicate of #1644 Mar 21, 2023
@tatianab tatianab closed this as completed Apr 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @tatianab @jba @GoVulnBot