x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-37307 #2922

GoVulnBot · 2024-06-13T18:01:10Z

CVE-2024-37307 references github.com/cilium/cilium, which may be a Go module.

Description:
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.13.0 and prior to versions 1.13.7, 1.14.12, and 1.15.6, the output of cilium-bugtool can contain sensitive data when the tool is run (with the --envoy-dump flag set) against Cilium deployments with the Envoy proxy enabled. Users of the TLS inspection, Ingress with TLS termination, Gateway API with TLS termination, and Kafka network policies with API key filtering features are affected. The sensitive data includes the CA certificate, certificate chain, and private key used by Cilium HTTP Network Policies, and when using Ingress/Gateway API and the API keys used in Kafka-related network policy. cilium-bugtool is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster. This issue has been patched in Cilium v1.15.6, v1.14.12, and v1.13.17. There is no workaround to this issue.

References:

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-37307
JSON: https://github.com/CVEProject/cvelist/tree/271475c5fecb1dbaee25950f6507754c970aa410/2024/37xxx/CVE-2024-37307.json
advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37307
fix: cilium/cilium@0191b1e
fix: cilium/cilium@224e288
fix: cilium/cilium@9299c0f
fix: cilium/cilium@958d7b7
fix: cilium/cilium@9eb25ba
fix: cilium/cilium@bf9a1ae
web: GHSA-wh78-7948-358j
Imported by: https://pkg.go.dev/github.com/cilium/cilium?tab=importedby

Cross references:

Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-c66w-hq56-4q97 #393 EFFECTIVELY_PRIVATE
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2022-29178 #457 EFFECTIVELY_PRIVATE
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2022-29179 #458 EFFECTIVELY_PRIVATE
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-wc5v-r48v-g4vh #530 NOT_GO_CODE
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-pfhr-pccp-hwmh #959 EFFECTIVELY_PRIVATE
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-4hc4-pgfx-3mrx #1642 NOT_GO_CODE
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-8fg8-jh2h-f2hc #1643 EFFECTIVELY_PRIVATE
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-r5x6-w42p-jhpp #1644 EFFECTIVELY_PRIVATE
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2023-29002 #1730 EFFECTIVELY_PRIVATE
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-2h44-x2wx-49f4 #1785 EFFECTIVELY_PRIVATE
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2023-34242 #1862 EFFECTIVELY_PRIVATE
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-gj2r-phwg-6rww #2078 EFFECTIVELY_PRIVATE
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-24m5-r6hv-ccgp #2079 EFFECTIVELY_PRIVATE
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-4xp2-w642-7mcx #2080 EFFECTIVELY_PRIVATE
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-25630 #2568
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-25631 #2569
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-68mj-9pjq-mc85 #2653
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-j89h-qrvr-xc36 #2656
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-v6q2-4qr3-5cw6 #2657
Module github.com/cilium/cilium appears in issue x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-pwqm-x5x6-5586 #2666

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cilium/cilium
      vulnerable_at: 1.15.6
      packages:
        - package: cilium
summary: CVE-2024-37307 in github.com/cilium/cilium
cves:
    - CVE-2024-37307
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37307
    - fix: https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407
    - fix: https://github.com/cilium/cilium/commit/224e288a5bf40d0bb0f16c9413693b319633431a
    - fix: https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741
    - fix: https://github.com/cilium/cilium/commit/958d7b77274bf2c272d8cdfd812631d644250653
    - fix: https://github.com/cilium/cilium/commit/9eb25ba40391a9b035d7e66401b862818f4aac4b
    - fix: https://github.com/cilium/cilium/commit/bf9a1ae1b2d2b2c9cca329d7aa96aa4858032a61
    - web: https://github.com/cilium/cilium/security/advisories/GHSA-wh78-7948-358j
source:
    id: CVE-2024-37307
    created: 2024-06-13T18:01:10.363020353Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-06-14T17:53:36Z

Change https://go.dev/cl/592765 mentions this issue: data/excluded,data/reports: add 10 reports

gopherbot · 2024-08-16T21:19:34Z

Change https://go.dev/cl/606359 mentions this issue: data/reports: regenerate 50 reports

- data/reports/GO-2024-2642.yaml - data/reports/GO-2024-2644.yaml - data/reports/GO-2024-2645.yaml - data/reports/GO-2024-2664.yaml - data/reports/GO-2024-2665.yaml - data/reports/GO-2024-2675.yaml - data/reports/GO-2024-2684.yaml - data/reports/GO-2024-2690.yaml - data/reports/GO-2024-2697.yaml - data/reports/GO-2024-2704.yaml - data/reports/GO-2024-2707.yaml - data/reports/GO-2024-2718.yaml - data/reports/GO-2024-2719.yaml - data/reports/GO-2024-2728.yaml - data/reports/GO-2024-2741.yaml - data/reports/GO-2024-2752.yaml - data/reports/GO-2024-2757.yaml - data/reports/GO-2024-2769.yaml - data/reports/GO-2024-2792.yaml - data/reports/GO-2024-2801.yaml - data/reports/GO-2024-2815.yaml - data/reports/GO-2024-2843.yaml - data/reports/GO-2024-2844.yaml - data/reports/GO-2024-2847.yaml - data/reports/GO-2024-2848.yaml - data/reports/GO-2024-2851.yaml - data/reports/GO-2024-2852.yaml - data/reports/GO-2024-2854.yaml - data/reports/GO-2024-2855.yaml - data/reports/GO-2024-2856.yaml - data/reports/GO-2024-2857.yaml - data/reports/GO-2024-2858.yaml - data/reports/GO-2024-2866.yaml - data/reports/GO-2024-2867.yaml - data/reports/GO-2024-2877.yaml - data/reports/GO-2024-2886.yaml - data/reports/GO-2024-2891.yaml - data/reports/GO-2024-2898.yaml - data/reports/GO-2024-2901.yaml - data/reports/GO-2024-2902.yaml - data/reports/GO-2024-2905.yaml - data/reports/GO-2024-2911.yaml - data/reports/GO-2024-2917.yaml - data/reports/GO-2024-2919.yaml - data/reports/GO-2024-2922.yaml - data/reports/GO-2024-2939.yaml - data/reports/GO-2024-2941.yaml - data/reports/GO-2024-2972.yaml - data/reports/GO-2024-2981.yaml - data/reports/GO-2024-2987.yaml Updates #2642 Updates #2644 Updates #2645 Updates #2664 Updates #2665 Updates #2675 Updates #2684 Updates #2690 Updates #2697 Updates #2704 Updates #2707 Updates #2718 Updates #2719 Updates #2728 Updates #2741 Updates #2752 Updates #2757 Updates #2769 Updates #2792 Updates #2801 Updates #2815 Updates #2843 Updates #2844 Updates #2847 Updates #2848 Updates #2851 Updates #2852 Updates #2854 Updates #2855 Updates #2856 Updates #2857 Updates #2858 Updates #2866 Updates #2867 Updates #2877 Updates #2886 Updates #2891 Updates #2898 Updates #2901 Updates #2902 Updates #2905 Updates #2911 Updates #2917 Updates #2919 Updates #2922 Updates #2939 Updates #2941 Updates #2972 Updates #2981 Updates #2987 Change-Id: I2dff127628eabc7c25afa4020c15a4d35a46a2c4 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606359 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com>

tatianab added the triaged label Jun 14, 2024

gopherbot closed this as completed in e0d78a2 Jun 20, 2024

This was referenced Aug 15, 2024

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-42487 #3071

Closed

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-42488 #3072

Closed

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-42486 #3074

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-37307 #2922

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-37307 #2922

GoVulnBot commented Jun 13, 2024

gopherbot commented Jun 14, 2024

gopherbot commented Aug 16, 2024

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-37307 #2922

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2024-37307 #2922

Comments

GoVulnBot commented Jun 13, 2024

gopherbot commented Jun 14, 2024

gopherbot commented Aug 16, 2024