Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update module github.com/cilium/cilium to v1.14.12 [security] #480

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 21, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/cilium/cilium v1.14.6 -> v1.14.12 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-25630

Impact

For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, responses from pods to the Ingress and health endpoints are not encrypted. Traffic from the Ingress and health endpoints to pods is not affected by this issue. The health endpoint is only used for Cilium's internal health checks.

Patches

This issue affects Cilium v1.14 before v1.14.7.

This issue has been patched in Cilium v1.14.7.

Workarounds

There is no workaround to this issue - affected users are encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​gandro for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

CVE-2024-25631

Impact

For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted.

Patches

This issue affects Cilium v1.14 before v1.14.7.

This issue has been patched in Cilium v1.14.7.

Workarounds

There is no workaround to this issue - affected users are encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​giorio94 and @​gandro for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at security@cilium.io. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

CVE-2024-28248

Impact

Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped.

Patches

This issue affects:

  • Cilium v1.13 between v1.13.9 and v1.13.12 inclusive
  • Cilium v1.14 between v1.14.0 and v1.14.7 inclusive
  • Cilium v1.15.0 and v1.15.1

This issue has been patched in:

  • Cilium v1.15.2
  • Cilium v1.14.8
  • Cilium v1.13.13

Workarounds

There is no workaround for this issue – affected users are strongly encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​romikps for discovering and reporting this issue, and @​sayboras and @​jrajahalme for preparing the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium internal security team, and your report will be treated as top priority.

CVE-2024-28249

Impact

In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies:

  • Traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted
  • Traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent unencrypted

Note: For clusters running in native routing mode, IPsec encryption is not applied to connections which are selected by a L7 Egress Network Policy or a DNS Policy. This is a known limitation of Cilium's IPsec encryption which will continue to apply after upgrading to the latest Cilium versions described below.

Patches

This issue affects:

  • Cilium v1.15 before v1.15.2
  • Cilium v1.14 before v1.14.8
  • Cilium v1.13 before v1.13.13
  • Cilium v1.4 to v1.12 inclusive

This issue has been resolved in:

  • Cilium v1.15.2
  • Cilium v1.14.8
  • Cilium v1.13.13

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​jschwinger233, @​julianwiedmann, @​giorio94, and @​jrajahalme for their work in triaging and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability in Cilium, we strongly encourage you to report it to our private security mailing list at security@cilium.io. This is a private mailing list that only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

CVE-2024-28250

Impact

In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies:

  • Traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes.
  • Traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS proxy and pods on other nodes.

Patches

This issue affects:

  • In native routing mode (routingMode=native):
    • Cilium v1.14 versions before v1.14.8
    • Cilium v1.15 versions before v1.15.2
  • In tunneling mode (routingMode=tunnel):
    • Cilium v1.14 versions before v1.14.4
    • Cilium v1.14.4 if encryption.wireguard.encapsulate is set to false (default).

This issue has been resolved in:

  • In native routing mode (routingMode=native):
    • Cilium v1.14.8
    • Cilium v1.15.2
  • In tunneling mode (routingMode=tunnel):
    • Cilium v1.14.4. NOTE encryption.wireguard.encapsulate must be set to true.

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​brb, @​giorio94, @​gandro and @​jschwinger233 for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at security@cilium.io. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

CVE-2024-28860

Impact

Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective.

In particular, Cilium is vulnerable to the following attacks by a man-in-the-middle attacker:

  • Chosen plaintext attacks
  • Key recovery attacks
  • Replay attacks

These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique keys for each IPsec tunnel established between nodes, resolving all of the above attacks.

Important: After upgrading, users must perform a key rotation using the instructions here to ensure that they are no longer vulnerable to this issue. Please note that the key rotation instructions have recently been updated, and users must use the new instructions to properly establish secure IPsec tunnels. To validate that the new instructions have been followed properly, ensure that the IPsec Kubernetes secret contains a "+" sign.

Patches

All prior versions of Cilium that support IPsec transparent encryption (Cilium 1.4 onwards) are affected by this issue.

Patched versions:

  • Cilium 1.15.3
  • Cilium 1.14.9
  • Cilium 1.13.14

Workarounds

There is no workaround to this issue. IPsec transparent encryption users are strongly encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @​NikAleksandrov and @​pchaigno for their work on remediating the issue. Thanks to Marsh Ray, Senior Software Developer at Microsoft, for input and guidance on the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

As usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: security@cilium.io - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority.

CVE-2024-37307

Impact

The output of cilium-bugtool can contain sensitive data when the tool is run (with the --envoy-dump flag set) against Cilium deployments with the Envoy proxy enabled.

Users of the following features are affected:

The sensitive data includes:

  • The CA certificate, certificate chain, and private key used by Cilium HTTP Network Policies, and when using Ingress/Gateway API
  • The API keys used in Kafka-related network policy

cilium-bugtool is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster.

Patches

This issue affects:

  • Cilium v1.13 between v1.13.0 and v1.13.16 inclusive
  • Cilium v1.14 between v1.14.0 and v1.14.11 inclusive
  • Cilium v1.15 between v1.15.0 and v1.15.5 inclusive

This issue has been patched in:

  • Cilium v1.15.6
  • Cilium v1.14.12
  • Cilium v1.13.17

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​sayboras for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.


Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.14.12: 1.14.12

Compare Source

We are pleased to release Cilium v1.14.12 that improves background resynchronization of nodes, improves the CLI to troubleshoot connectivity issues, lowers CPU consumption with IPsec for large clusters, and brings a number of additional fixes. Thanks to all contributors, reviewers, testers, and users! ❤️

Summary of Changes

Minor Changes:

  • (v1.14) Generate SBOMs using Syft instead of bom (#​32750, @​ferozsalam)
  • Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (Backport PR #​32874, Upstream PR #​32577, @​marseel)
  • Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (Backport PR #​32571, Upstream PR #​32336, @​giorio94)
  • ipsec: Improve CPU usage of cilum-agent in large clusters (Backport PR #​32883, Upstream PR #​32588, @​marseel)
  • pkg/labels: print all leaf CIDRs, not just the last one. (Backport PR #​32511, Upstream PR #​28224, @​squeed)

Bugfixes:

CI Changes:

Misc Changes:

Other Changes:

v1.14.12

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.12@​sha256:9c9612ed763a9ff823aca5e56aff6bb1e8ca36516282ed7f5c1b8866d011752c
quay.io/cilium/cilium:v1.14.12@​sha256:9c9612ed763a9ff823aca5e56aff6bb1e8ca36516282ed7f5c1b8866d011752c

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.12@​sha256:39e4ddad59cc3a4c05e7f44333fcbc8e1e64ee5eed8b9614916ed9673bb10a92
quay.io/cilium/clustermesh-apiserver:v1.14.12@​sha256:39e4ddad59cc3a4c05e7f44333fcbc8e1e64ee5eed8b9614916ed9673bb10a92

docker-plugin

docker.io/cilium/docker-plugin:v1.14.12@​sha256:7f358167a6c57fab052c524ee9b638784f90f904631423c7cf51f8fe301e1107
quay.io/cilium/docker-plugin:v1.14.12@​sha256:7f358167a6c57fab052c524ee9b638784f90f904631423c7cf51f8fe301e1107

hubble-relay

docker.io/cilium/hubble-relay:v1.14.12@​sha256:63749d9af901846b8a9229e01210afce2f9b1769419deaf55571dd16b7864574
quay.io/cilium/hubble-relay:v1.14.12@​sha256:63749d9af901846b8a9229e01210afce2f9b1769419deaf55571dd16b7864574

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.12@​sha256:c46f1939edd78d38f537e52b12ea051bafc591611b75e197bebb1e508764b565
quay.io/cilium/kvstoremesh:v1.14.12@​sha256:c46f1939edd78d38f537e52b12ea051bafc591611b75e197bebb1e508764b565

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.12@​sha256:e01302d3c00ce5b8e29703d4fdafefb0e9f4e65d1849a5551e0ad4d45a7af42c
quay.io/cilium/operator-alibabacloud:v1.14.12@​sha256:e01302d3c00ce5b8e29703d4fdafefb0e9f4e65d1849a5551e0ad4d45a7af42c

operator-aws

docker.io/cilium/operator-aws:v1.14.12@​sha256:a922c610fbc6e3e8bfda1876c6b2644f605b0cdec78f49854b9ce02213dc0abe
quay.io/cilium/operator-aws:v1.14.12@​sha256:a922c610fbc6e3e8bfda1876c6b2644f605b0cdec78f49854b9ce02213dc0abe

operator-azure

docker.io/cilium/operator-azure:v1.14.12@​sha256:416a39117ab7d261aacafc6e70e58bb0979c81c3c9d5cc4769f626de3f8015dd
quay.io/cilium/operator-azure:v1.14.12@​sha256:416a39117ab7d261aacafc6e70e58bb0979c81c3c9d5cc4769f626de3f8015dd

operator-generic

docker.io/cilium/operator-generic:v1.14.12@​sha256:0dd45f29aadeca7b9ef9f42991130ca135e54801c65416bd727add19e4727ba6
quay.io/cilium/operator-generic:v1.14.12@​sha256:0dd45f29aadeca7b9ef9f42991130ca135e54801c65416bd727add19e4727ba6

operator

docker.io/cilium/operator:v1.14.12@​sha256:5e1552ebb3e95655ec301637b2a9f90669e214d0d2f4c5397e867f4ae36bf262
quay.io/cilium/operator:v1.14.12@​sha256:5e1552ebb3e95655ec301637b2a9f90669e214d0d2f4c5397e867f4ae36bf262

v1.14.11: 1.14.11

Compare Source

We are pleased to release Cilium v1.14.11.

This release brings us reducing pressure on the BPF connection tracking and NAT maps, as well as fixes for failing service connections, HostFirewall policy updates and many more.

Security Advisories

This release addresses following security vulnerabilities:

Summary of Changes

Minor Changes:

Bugfixes:

CI Changes:

Misc Changes:

Other Changes:

v1.14.10: 1.14.10

Compare Source

We are pleased to announce the release of Cilium v1.14.10.

This release includes hubble metrics when using cilium sysdump, and a fix to an issue with overlapping keys that may have affected the ability to recover from a full Service map. Bugfixes include improved behavior for overlapping and restored DNS policies, a fix to a race condition in Service updates for L7 LB, and a fix to the retry logic in the cilium health controllers.

Security Advisories

This release addresses a security vulnerability. For more information, see GHSA-j654-3ccm-vfmm

Summary of Changes

Minor Changes:

  • bugtool: Collect hubble metrics (Backport PR #​31888, Upstream PR #​31533, @​chancez)
  • Fix overlapping keys in agent-side service BPF map cache used for retries. In rare cases this bug may have caused retrying of a failed BPF map update for a services entry to be skipped leading to a missing entry. This may have, for example, adversely affected recovering from a full BPF service map after excess services were removed. (Backport PR #​31888, Upstream PR #​29581, @​xyz-li)
  • Update to Envoy 1.27.0, run cilium-envoy process without any privileges. (Backport PR #​31007, Upstream PR #​27498, @​jrajahalme)

Bugfixes:

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.10@​sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031
quay.io/cilium/cilium:v1.14.10@​sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.10@​sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798
quay.io/cilium/clustermesh-apiserver:v1.14.10@​sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798

docker-plugin

docker.io/cilium/docker-plugin:v1.14.10@​sha256:8aa57cb38a30dbe56345b5d549054beaea96a210c15a1e4ca5224b4f858cdcda
quay.io/cilium/docker-plugin:v1.14.10@​sha256:8aa57cb38a30dbe56345b5d549054beaea96a210c15a1e4ca5224b4f858cdcda

hubble-relay

docker.io/cilium/hubble-relay:v1.14.10@​sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0
quay.io/cilium/hubble-relay:v1.14.10@​sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.10@​sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14
quay.io/cilium/operator-alibabacloud:v1.14.10@​sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14

operator-aws

docker.io/cilium/operator-aws:v1.14.10@​sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6
`quay.io/cilium/operator-aws:v1.14.10@​sha256:72440


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/go-github.com/cilium/cilium-vulnerability branch from 5d62227 to ccc0ac8 Compare March 1, 2024 19:31
@renovate renovate bot force-pushed the renovate/go-github.com/cilium/cilium-vulnerability branch from ccc0ac8 to 0bd45d6 Compare March 18, 2024 23:46
@renovate renovate bot changed the title fix(deps): update module github.com/cilium/cilium to v1.14.7 [security] fix(deps): update module github.com/cilium/cilium to v1.14.8 [security] Mar 18, 2024
@renovate renovate bot force-pushed the renovate/go-github.com/cilium/cilium-vulnerability branch 2 times, most recently from dd90cc7 to eef265c Compare March 19, 2024 18:28
@renovate renovate bot force-pushed the renovate/go-github.com/cilium/cilium-vulnerability branch from eef265c to 00608bb Compare March 28, 2024 20:24
@renovate renovate bot changed the title fix(deps): update module github.com/cilium/cilium to v1.14.8 [security] fix(deps): update module github.com/cilium/cilium to v1.14.9 [security] Mar 28, 2024
@renovate renovate bot force-pushed the renovate/go-github.com/cilium/cilium-vulnerability branch from 00608bb to 67077b0 Compare April 2, 2024 23:37
@renovate renovate bot force-pushed the renovate/go-github.com/cilium/cilium-vulnerability branch from 67077b0 to 8352e6b Compare April 10, 2024 15:08
@renovate renovate bot force-pushed the renovate/go-github.com/cilium/cilium-vulnerability branch 2 times, most recently from edae9c0 to d7a4af1 Compare May 8, 2024 14:47
Copy link
Contributor Author

renovate bot commented Jun 4, 2024

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/go-jose/go-jose/v3 v3.0.1 -> v3.0.3

@renovate renovate bot force-pushed the renovate/go-github.com/cilium/cilium-vulnerability branch from d7a4af1 to 0016e29 Compare June 13, 2024 19:59
@renovate renovate bot changed the title fix(deps): update module github.com/cilium/cilium to v1.14.9 [security] fix(deps): update module github.com/cilium/cilium to v1.14.12 [security] Jun 13, 2024
@renovate renovate bot force-pushed the renovate/go-github.com/cilium/cilium-vulnerability branch from 0016e29 to 326fdcd Compare June 14, 2024 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

0 participants