Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update module github.com/cilium/cilium to v1.15.8 [security] (main) #2807

Merged
merged 1 commit into from
Sep 2, 2024
Merged

fix(deps): update module github.com/cilium/cilium to v1.15.8 [security] (main) #2807

merged 1 commit into from
Sep 2, 2024

Conversation

cilium-renovate[bot]
Copy link
Contributor

@cilium-renovate cilium-renovate bot commented Aug 16, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
github.com/cilium/cilium require patch v1.15.7 -> v1.15.8

GitHub Vulnerability Alerts

CVE-2024-42488

Impact

A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass.

Patches

This issue was fixed in https://github.com/cilium/cilium/pull/33511.

This issue affects:

  • All versions of Cilium before v1.14.14
  • Cilium v1.15 between v1.15.0 and v1.15.7 inclusive

This issue has been patched in:

  • Cilium v1.14.14
  • Cilium v1.15.8

Workarounds

As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected.

Acknowledgements

The Cilium community has worked together with members of Google and Isovalent to prepare these mitigations. Special thanks to @​skmatti for raising and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

CVE-2024-42487

Impact

Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched (HTTPRouteRule, GRPCRouteRule).

If users create Gateway API resources that use both request headers and request methods in order to route to different destinations, then traffic may be delivered to the incorrect backend. If the backend does not have Network Policy restricting acceptable traffic to receive, then requests may access information that you did not intend for them to access.

Patches

This issue was fixed in https://github.com/cilium/cilium/pull/34109.

This issue affects:

  • Cilium v1.15 between v1.15.0 and v1.15.7 inclusive
  • Cilium v1.16.0

This issue is fixed in:

  • Cilium v1.15.8
  • Cilium v1.16.1

Workarounds

There is no workaround for this issue.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @​sayboras for remediating this issue.

Further information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

CVE-2024-42486

Impact

Due to ReferenceGrant changes not being immediately propagated in Cilium's GatewayAPI controller, Gateway resources are able to access secrets in other namespaces after the associated ReferenceGrant has been revoked. This can lead to Gateways continuing to establish sessions using secrets that they should no longer have access to.

Patches

This issue was resolved in https://github.com/cilium/cilium/pull/34032.

This issue affects:

  • Cilium v1.15 between v1.15.0 and v1.15.7 inclusive
  • Cilium v1.16.0

This issue has been patched in:

  • Cilium v1.15.8
  • Cilium v1.16.1

Workarounds

Any modification of a related Gateway/HTTPRoute/GRPCRoute/TCPRoute CRD (for example, adding any label to any of these resources) will trigger a reconciliation of ReferenceGrants on an affected cluster.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @​sayboras for resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Gateway API route matching order contradicts specification in github.com/cilium/cilium

BIT-cilium-2024-42487 / BIT-cilium-operator-2024-42487 / BIT-hubble-relay-2024-42487 / CVE-2024-42487 / GHSA-qcm3-7879-xcww / GO-2024-3071

More information

Details

Gateway API route matching order contradicts specification in github.com/cilium/cilium

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API

BIT-cilium-2024-42486 / BIT-cilium-operator-2024-42486 / BIT-hubble-relay-2024-42486 / CVE-2024-42486 / GHSA-vwf8-q6fw-4wcm / GO-2024-3074

More information

Details

Impact

Due to ReferenceGrant changes not being immediately propagated in Cilium's GatewayAPI controller, Gateway resources are able to access secrets in other namespaces after the associated ReferenceGrant has been revoked. This can lead to Gateways continuing to establish sessions using secrets that they should no longer have access to.

Patches

This issue was resolved in https://github.com/cilium/cilium/pull/34032.

This issue affects:

  • Cilium v1.15 between v1.15.0 and v1.15.7 inclusive
  • Cilium v1.16.0

This issue has been patched in:

  • Cilium v1.15.8
  • Cilium v1.16.1
Workarounds

Any modification of a related Gateway/HTTPRoute/GRPCRoute/TCPRoute CRD (for example, adding any label to any of these resources) will trigger a reconciliation of ReferenceGrants on an affected cluster.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @​sayboras for resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

BIT-cilium-2024-42488 / BIT-cilium-operator-2024-42488 / BIT-hubble-relay-2024-42488 / CVE-2024-42488 / GHSA-q7w8-72mr-vpgw / GO-2024-3072

More information

Details

Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Gateway API route matching order contradicts specification

BIT-cilium-2024-42487 / BIT-cilium-operator-2024-42487 / BIT-hubble-relay-2024-42487 / CVE-2024-42487 / GHSA-qcm3-7879-xcww / GO-2024-3071

More information

Details

Impact

Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched (HTTPRouteRule, GRPCRouteRule).

If users create Gateway API resources that use both request headers and request methods in order to route to different destinations, then traffic may be delivered to the incorrect backend. If the backend does not have Network Policy restricting acceptable traffic to receive, then requests may access information that you did not intend for them to access.

Patches

This issue was fixed in https://github.com/cilium/cilium/pull/34109.

This issue affects:

  • Cilium v1.15 between v1.15.0 and v1.15.7 inclusive
  • Cilium v1.16.0

This issue is fixed in:

  • Cilium v1.15.8
  • Cilium v1.16.1
Workarounds

There is no workaround for this issue.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @​sayboras for remediating this issue.

Further information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Severity

  • CVSS Score: 4.0 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Policy bypass for Host Firewall policy due to race condition in Cilium agent

BIT-cilium-2024-42488 / BIT-cilium-operator-2024-42488 / BIT-hubble-relay-2024-42488 / CVE-2024-42488 / GHSA-q7w8-72mr-vpgw / GO-2024-3072

More information

Details

Impact

A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass.

Patches

This issue was fixed in https://github.com/cilium/cilium/pull/33511.

This issue affects:

  • All versions of Cilium before v1.14.14
  • Cilium v1.15 between v1.15.0 and v1.15.7 inclusive

This issue has been patched in:

  • Cilium v1.14.14
  • Cilium v1.15.8
Workarounds

As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected.

Acknowledgements

The Cilium community has worked together with members of Google and Isovalent to prepare these mitigations. Special thanks to @​skmatti for raising and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API in github.com/cilium/cilium

BIT-cilium-2024-42486 / BIT-cilium-operator-2024-42486 / BIT-hubble-relay-2024-42486 / CVE-2024-42486 / GHSA-vwf8-q6fw-4wcm / GO-2024-3074

More information

Details

Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API in github.com/cilium/cilium

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.15.8: 1.15.8

Compare Source

Security Advisories

This release addresses the following security vulnerabilities:

Summary of Changes

Minor Changes:

Bugfixes:

  • add support for validation of stringToString values in ConfigMap (Backport PR #​33962, Upstream PR #​33779, @​alex-berger)
  • auth: Fix data race in Upsert (Backport PR #​34157, Upstream PR #​33905, @​chaunceyjiang)
  • auth: fix fatal error: concurrent map iteration and map write (Backport PR #​33809, Upstream PR #​33634, @​chaunceyjiang)
  • cert: Adding H2 Protocol Support when Get gRPC Config For Client (Backport PR #​33809, Upstream PR #​33616, @​mrproliu)
  • DNS Proxy: Allow SO_LINGER to be set to the socket to upstream (Backport PR #​33809, Upstream PR #​33592, @​gandro)
  • Fix an issue in updates to node addresses which may have caused missing NodePort frontend IP addresses. May have affected NodePort/LoadBalancer services for users running with runtime device detection enabled when node's IP addresses were changed after Cilium had started.
    Node IP as defined in the Kubernetes Node is now preferred when selecting the NodePort frontend IPs. (Backport PR #​33818, Upstream PR #​33629, @​joamaki)
  • Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport PR #​34183, Upstream PR #​34091, @​giorio94)
  • Fix issue in picking node IP addresses from the loopback device. This fixes a regression in v1.15 and v1.16 where VIPs assigned to the lo device were not considered by Cilium.
    Fix spurious updates node addresses to avoid unnecessary datapath reinitializations. (Backport PR #​34086, Upstream PR #​34012, @​joamaki)
  • Fix rare race condition afflicting clustermesh while stopping the retrieval of the remote cluster configuration, possibly causing a deadlock (Backport PR #​33809, Upstream PR #​33735, @​giorio94)
  • Fixes a race condition during agent startup that causes the k8s node label updates to not get propagated to the host endpoint. (Backport PR #​33663, Upstream PR #​33511, @​skmatti)
  • gateway-api: Add HTTP method condition in sortable routes (Backport PR #​34157, Upstream PR #​34109, @​sayboras)
  • gateway-api: Enqueue gateway for Reference Grant changes (Backport PR #​34157, Upstream PR #​34032, @​sayboras)
  • helm: remove duplicate metrics for Envoy pod (Backport PR #​34157, Upstream PR #​33803, @​mhofstetter)
  • lbipam: fixed bug in sharing key logic (Backport PR #​34157, Upstream PR #​34106, @​dylandreimerink)
  • pkg/metrics: fix data race warning on metrics init hook. (Backport PR #​33962, Upstream PR #​33823, @​tommyp1ckles)
  • Reduce conntrack lifetime for closing service connections. (Backport PR #​33962, Upstream PR #​33907, @​julianwiedmann)
  • Skip regenerating host endpoint on k8s node labels update if identity labels are unchanged (Backport PR #​33809, Upstream PR #​33306, @​skmatti)
  • The cilium agent will now recover from stale nodeID mappings which could occur in clusters with high node churn, possibly manifesting itself in dropped IPsec traffic. (Backport PR #​34157, Upstream PR #​33666, @​bimmlerd)

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests
cilium

quay.io/cilium/cilium:v1.15.8@​sha256:3b5b0477f696502c449eaddff30019a7d399f077b7814bcafabc636829d194c7

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.8@​sha256:4c1f33aae2b76392b57e867820471b5472f0886f7358513d47ee80c09af15a0e

docker-plugin

quay.io/cilium/docker-plugin:v1.15.8@​sha256:15b1b6e83e1c0eea97df179660c1898661c1d0da5d431c68f98c702581e29310

hubble-relay

quay.io/cilium/hubble-relay:v1.15.8@​sha256:47e8a19f60d0d226ec3d2c675ec63908f1f2fb936a39897f2e3255b3bab01ad6

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.8@​sha256:388ef72febd719bc9d16d5ee47fe6f846f73f0d8a6f9586ada04cb39eb2962d1

operator-aws

quay.io/cilium/operator-aws:v1.15.8@​sha256:3807dd23c2b5f90489824ddd13dca6e84e714dc9eae44e5718acfe86c855b7a1

operator-azure

quay.io/cilium/operator-azure:v1.15.8@​sha256:c517db3d12fcf038a9a4a81b88027a19672078bf8c2fcd6b2563f3eff9514d21

operator-generic

quay.io/cilium/operator-generic:v1.15.8@​sha256:e77ae6fc8a978f98363cf74d3c883dfaa6454c6e23ec417a60952f29408e2f18

operator

quay.io/cilium/operator:v1.15.8@​sha256:e9cf35fe3dc86933ccf3fdfdb7620d218c50aaca5f14e4ba5f422460ea4cb23c

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@cilium-renovate cilium-renovate bot requested a review from a team as a code owner August 16, 2024 09:19
@cilium-renovate cilium-renovate bot added release-blocker This PR or issue is blocking the next release. release-note/dependency This PR updates one or multiple dependencies labels Aug 16, 2024
@cilium-renovate cilium-renovate bot requested a review from kevsecurity August 16, 2024 09:19
@cilium-renovate
Copy link
Contributor Author

cilium-renovate bot commented Aug 16, 2024
edited
Loading

ℹ Artifact update notice

File name: pkg/k8s/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 9 additional dependencies were updated

Details:

Package Change
github.com/go-logr/logr v1.4.1 -> v1.4.2
golang.org/x/mod v0.14.0 -> v0.17.0
golang.org/x/net v0.23.0 -> v0.26.0
golang.org/x/oauth2 v0.16.0 -> v0.20.0
golang.org/x/sys v0.18.0 -> v0.21.0
golang.org/x/term v0.18.0 -> v0.21.0
golang.org/x/text v0.14.0 -> v0.16.0
golang.org/x/tools v0.16.1 -> v0.21.1-0.20240508182429-e35e4ccd0d2d
google.golang.org/protobuf v1.33.0 -> v1.34.2
File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 7 additional dependencies were updated

Details:

Package Change
github.com/go-logr/logr v1.4.1 -> v1.4.2
github.com/rogpeppe/go-internal v1.11.0 -> v1.12.0
go.opentelemetry.io/otel v1.24.0 -> v1.28.0
go.opentelemetry.io/otel/metric v1.24.0 -> v1.28.0
go.opentelemetry.io/otel/trace v1.24.0 -> v1.28.0
google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117 -> v0.0.0-20240701130421-f6361c86f094
google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 -> v0.0.0-20240701130421-f6361c86f094

@cilium-renovate cilium-renovate bot force-pushed the renovate/main-go-github.com-cilium-cilium-vulnerability branch from 45b170e to cb7be03 Compare August 16, 2024 11:14
@kevsecurity
Copy link
Contributor

@mtardy is working on upgrading the Cilium dependency independently.

@cilium-renovate
Copy link
Contributor Author

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v1.15.8). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@cilium-renovate cilium-renovate bot deleted the renovate/main-go-github.com-cilium-cilium-vulnerability branch August 19, 2024 10:09
@mtardy mtardy restored the renovate/main-go-github.com-cilium-cilium-vulnerability branch September 2, 2024 14:35
@mtardy mtardy reopened this Sep 2, 2024
@mtardy mtardy removed the request for review from kevsecurity September 2, 2024 14:47
@mtardy mtardy self-assigned this Sep 2, 2024
@cilium-renovate cilium-renovate bot force-pushed the renovate/main-go-github.com-cilium-cilium-vulnerability branch from cb7be03 to 79db22a Compare September 2, 2024 14:49
@cilium-renovate @mtardy
fix(deps): update module github.com/cilium/cilium to v1.15.8 [security]
8469dca 
Co-authored-by: Mahe Tardy <[email protected]>
Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com>
@mtardy mtardy force-pushed the renovate/main-go-github.com-cilium-cilium-vulnerability branch from 79db22a to 8469dca Compare September 2, 2024 15:01
mtardy
mtardy approved these changes Sep 2, 2024
View reviewed changes
Copy link
Member

@mtardy mtardy left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's merge it before we have 1.16.1 working! (i.e. reapply #2820)

@mtardy mtardy merged commit b53dee5 into main Sep 2, 2024
43 checks passed
@mtardy mtardy deleted the renovate/main-go-github.com-cilium-cilium-vulnerability branch September 2, 2024 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtardy mtardy mtardy approved these changes

Assignees

@mtardy mtardy

Labels
release-blocker This PR or issue is blocking the next release. release-note/dependency This PR updates one or multiple dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kevsecurity @mtardy