fix(deps): update module github.com/cilium/cilium to v1.14.12 [security] #480
+9
−2
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.14.6
->v1.14.12
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2024-25630
Impact
For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, responses from pods to the Ingress and health endpoints are not encrypted. Traffic from the Ingress and health endpoints to pods is not affected by this issue. The health endpoint is only used for Cilium's internal health checks.
Patches
This issue affects Cilium v1.14 before v1.14.7.
This issue has been patched in Cilium v1.14.7.
Workarounds
There is no workaround to this issue - affected users are encouraged to upgrade.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @gandro for their work on triaging and remediating this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.
CVE-2024-25631
Impact
For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted.
Patches
This issue affects Cilium v1.14 before v1.14.7.
This issue has been patched in Cilium v1.14.7.
Workarounds
There is no workaround to this issue - affected users are encouraged to upgrade.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @giorio94 and @gandro for their work on triaging and remediating this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at security@cilium.io. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.
CVE-2024-28248
Impact
Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped.
Patches
This issue affects:
This issue has been patched in:
Workarounds
There is no workaround for this issue – affected users are strongly encouraged to upgrade.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @romikps for discovering and reporting this issue, and @sayboras and @jrajahalme for preparing the fix.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium internal security team, and your report will be treated as top priority.
CVE-2024-28249
Impact
In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies:
Note: For clusters running in native routing mode, IPsec encryption is not applied to connections which are selected by a L7 Egress Network Policy or a DNS Policy. This is a known limitation of Cilium's IPsec encryption which will continue to apply after upgrading to the latest Cilium versions described below.
Patches
This issue affects:
This issue has been resolved in:
Workarounds
There is no workaround to this issue.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @jschwinger233, @julianwiedmann, @giorio94, and @jrajahalme for their work in triaging and resolving this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability in Cilium, we strongly encourage you to report it to our private security mailing list at security@cilium.io. This is a private mailing list that only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.
CVE-2024-28250
Impact
In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies:
Patches
This issue affects:
routingMode=native
):routingMode=tunnel
):encryption.wireguard.encapsulate
is set tofalse
(default).This issue has been resolved in:
routingMode=native
):routingMode=tunnel
):encryption.wireguard.encapsulate
must be set totrue
.Workarounds
There is no workaround to this issue.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @brb, @giorio94, @gandro and @jschwinger233 for their work on triaging and remediating this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at security@cilium.io. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.
CVE-2024-28860
Impact
Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective.
In particular, Cilium is vulnerable to the following attacks by a man-in-the-middle attacker:
These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique keys for each IPsec tunnel established between nodes, resolving all of the above attacks.
Important: After upgrading, users must perform a key rotation using the instructions here to ensure that they are no longer vulnerable to this issue. Please note that the key rotation instructions have recently been updated, and users must use the new instructions to properly establish secure IPsec tunnels. To validate that the new instructions have been followed properly, ensure that the IPsec Kubernetes secret contains a "+" sign.
Patches
All prior versions of Cilium that support IPsec transparent encryption (Cilium 1.4 onwards) are affected by this issue.
Patched versions:
Workarounds
There is no workaround to this issue. IPsec transparent encryption users are strongly encouraged to upgrade.
Acknowledgements
The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @NikAleksandrov and @pchaigno for their work on remediating the issue. Thanks to Marsh Ray, Senior Software Developer at Microsoft, for input and guidance on the fix.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
As usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: security@cilium.io - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority.
CVE-2024-37307
Impact
The output of
cilium-bugtool
can contain sensitive data when the tool is run (with the--envoy-dump
flag set) against Cilium deployments with the Envoy proxy enabled.Users of the following features are affected:
The sensitive data includes:
cilium-bugtool
is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster.Patches
This issue affects:
This issue has been patched in:
Workarounds
There is no workaround to this issue.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @sayboras for their work on triaging and remediating this issue.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
Release Notes
cilium/cilium (github.com/cilium/cilium)
v1.14.12
: 1.14.12Compare Source
We are pleased to release Cilium v1.14.12 that improves background resynchronization of nodes, improves the CLI to troubleshoot connectivity issues, lowers CPU consumption with IPsec for large clusters, and brings a number of additional fixes. Thanks to all contributors, reviewers, testers, and users! ❤️
Summary of Changes
Minor Changes:
Bugfixes:
hubble.ui.securityContext.enabled
from hubble-ui deployment template (Backport PR #32888, Upstream PR #32338, @stelucz)CI Changes:
workflow_dispatch
event. (Backport PR #32503, Upstream PR #31424, @learnitall)Misc Changes:
16438a8
(v1.14) (#32636, @renovate[bot])19478ce
(v1.14) (#32924, @renovate[bot])a6d2b38
(v1.14) (#32369, @renovate[bot])Other Changes:
v1.14.12
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.12@​sha256:9c9612ed763a9ff823aca5e56aff6bb1e8ca36516282ed7f5c1b8866d011752c
quay.io/cilium/cilium:v1.14.12@​sha256:9c9612ed763a9ff823aca5e56aff6bb1e8ca36516282ed7f5c1b8866d011752c
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.12@​sha256:39e4ddad59cc3a4c05e7f44333fcbc8e1e64ee5eed8b9614916ed9673bb10a92
quay.io/cilium/clustermesh-apiserver:v1.14.12@​sha256:39e4ddad59cc3a4c05e7f44333fcbc8e1e64ee5eed8b9614916ed9673bb10a92
docker-plugin
docker.io/cilium/docker-plugin:v1.14.12@​sha256:7f358167a6c57fab052c524ee9b638784f90f904631423c7cf51f8fe301e1107
quay.io/cilium/docker-plugin:v1.14.12@​sha256:7f358167a6c57fab052c524ee9b638784f90f904631423c7cf51f8fe301e1107
hubble-relay
docker.io/cilium/hubble-relay:v1.14.12@​sha256:63749d9af901846b8a9229e01210afce2f9b1769419deaf55571dd16b7864574
quay.io/cilium/hubble-relay:v1.14.12@​sha256:63749d9af901846b8a9229e01210afce2f9b1769419deaf55571dd16b7864574
kvstoremesh
docker.io/cilium/kvstoremesh:v1.14.12@​sha256:c46f1939edd78d38f537e52b12ea051bafc591611b75e197bebb1e508764b565
quay.io/cilium/kvstoremesh:v1.14.12@​sha256:c46f1939edd78d38f537e52b12ea051bafc591611b75e197bebb1e508764b565
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.12@​sha256:e01302d3c00ce5b8e29703d4fdafefb0e9f4e65d1849a5551e0ad4d45a7af42c
quay.io/cilium/operator-alibabacloud:v1.14.12@​sha256:e01302d3c00ce5b8e29703d4fdafefb0e9f4e65d1849a5551e0ad4d45a7af42c
operator-aws
docker.io/cilium/operator-aws:v1.14.12@​sha256:a922c610fbc6e3e8bfda1876c6b2644f605b0cdec78f49854b9ce02213dc0abe
quay.io/cilium/operator-aws:v1.14.12@​sha256:a922c610fbc6e3e8bfda1876c6b2644f605b0cdec78f49854b9ce02213dc0abe
operator-azure
docker.io/cilium/operator-azure:v1.14.12@​sha256:416a39117ab7d261aacafc6e70e58bb0979c81c3c9d5cc4769f626de3f8015dd
quay.io/cilium/operator-azure:v1.14.12@​sha256:416a39117ab7d261aacafc6e70e58bb0979c81c3c9d5cc4769f626de3f8015dd
operator-generic
docker.io/cilium/operator-generic:v1.14.12@​sha256:0dd45f29aadeca7b9ef9f42991130ca135e54801c65416bd727add19e4727ba6
quay.io/cilium/operator-generic:v1.14.12@​sha256:0dd45f29aadeca7b9ef9f42991130ca135e54801c65416bd727add19e4727ba6
operator
docker.io/cilium/operator:v1.14.12@​sha256:5e1552ebb3e95655ec301637b2a9f90669e214d0d2f4c5397e867f4ae36bf262
quay.io/cilium/operator:v1.14.12@​sha256:5e1552ebb3e95655ec301637b2a9f90669e214d0d2f4c5397e867f4ae36bf262
v1.14.11
: 1.14.11Compare Source
We are pleased to release Cilium v1.14.11.
This release brings us reducing pressure on the BPF connection tracking and NAT maps, as well as fixes for failing service connections, HostFirewall policy updates and many more.
Security Advisories
This release addresses following security vulnerabilities:
Summary of Changes
Minor Changes:
Bugfixes:
agent-not-ready
taint too early if the primary network is slow in deploying. (Backport PR #32251, Upstream PR #32168, @squeed)CI Changes:
Misc Changes:
81811f8
(v1.14) (#31995, @renovate[bot])Other Changes:
v1.14.10
: 1.14.10Compare Source
We are pleased to announce the release of Cilium v1.14.10.
This release includes hubble metrics when using
cilium sysdump
, and a fix to an issue with overlapping keys that may have affected the ability to recover from a full Service map. Bugfixes include improved behavior for overlapping and restored DNS policies, a fix to a race condition in Service updates for L7 LB, and a fix to the retry logic in the cilium health controllers.Security Advisories
This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm
Summary of Changes
Minor Changes:
Bugfixes:
cilium-health-ep
controller (Backport PR #31724, Upstream PR #31622, @gandro)Potentially it could have impacted connectivity in large clusters (>4k nodes) with IPSec or Mutual Auth enabled.
Otherwise, it was merely generating unnecessary error log messages. (Backport PR #31656, Upstream PR #31380, @marseel)
CI Changes:
Misc Changes:
f41b84c
(v1.14) (#31748, @renovate[bot])No node ID found
drops in case of remote node deletion (Backport PR #31724, Upstream PR #31635, @pchaigno)Other Changes:
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.10@​sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
quay.io/cilium/cilium:v1.14.10@​sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.10@​sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798
quay.io/cilium/clustermesh-apiserver:v1.14.10@​sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798
docker-plugin
docker.io/cilium/docker-plugin:v1.14.10@​sha256:8aa57cb38a30dbe56345b5d549054beaea96a210c15a1e4ca5224b4f858cdcda
quay.io/cilium/docker-plugin:v1.14.10@​sha256:8aa57cb38a30dbe56345b5d549054beaea96a210c15a1e4ca5224b4f858cdcda
hubble-relay
docker.io/cilium/hubble-relay:v1.14.10@​sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0
quay.io/cilium/hubble-relay:v1.14.10@​sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.10@​sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14
quay.io/cilium/operator-alibabacloud:v1.14.10@​sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14
operator-aws
docker.io/cilium/operator-aws:v1.14.10@​sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6
`quay.io/cilium/operator-aws:v1.14.10@sha256:72440
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.