Impact
Cilium allows outside actors (world
entity) to directly access pods with their internal pod IP, even if they are not exposed explicitly (e.g. via LoadBalancer
). A pod that does not authenticate clients and that does not exclude world
traffic via network policy may leak sensitive data to an attacker inside the cloud VPC.
Patches
The issue has been patched in v2.16.3.
Workarounds
This network policy excludes all world
traffic. It mitigates the problem, but will also block all desired external traffic. If vulnerable pods are known, a policy can be crafted to only firewall those instead (see also https://docs.cilium.io/en/stable/security/policy/language/#access-to-from-outside-cluster).
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
name: "from-world-to-role-public"
spec:
endpointSelector:
matchLabels: {}
# role: public
ingressDeny:
- fromEntities:
- world
References
The tracking bug for a Cilium-side fix is cilium/cilium#25626.
Impact
Cilium allows outside actors (
world
entity) to directly access pods with their internal pod IP, even if they are not exposed explicitly (e.g. viaLoadBalancer
). A pod that does not authenticate clients and that does not excludeworld
traffic via network policy may leak sensitive data to an attacker inside the cloud VPC.Patches
The issue has been patched in v2.16.3.
Workarounds
This network policy excludes all
world
traffic. It mitigates the problem, but will also block all desired external traffic. If vulnerable pods are known, a policy can be crafted to only firewall those instead (see also https://docs.cilium.io/en/stable/security/policy/language/#access-to-from-outside-cluster).References
The tracking bug for a Cilium-side fix is cilium/cilium#25626.