Insecure Automated Optimizations Affecting github.com/cilium/cilium/pkg/policy package, versions >=1.14.0 <1.14.16>=1.15.0 <1.15.10
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMCILIUMCILIUMPKGPOLICY-8237189
- published22 Oct 2024
- disclosed21 Oct 2024
- creditCasey Callendrello, christarazi, Jarno Rajahalme
Introduced: 21 Oct 2024
CVE-2024-47825 Â (opens in a new tab)How to fix?
Upgrade github.com/cilium/cilium/pkg/policy to version 1.14.16, 1.15.10 or higher.
Overview
github.com/cilium/cilium/pkg/policy is a package for eBPF-based Networking, Security, and Observability
Affected versions of this package are vulnerable to Insecure Automated Optimizations due to the interaction between broader CIDR deny policies and more specific CIDR allow policies. An attacker can bypass intended security restrictions if a narrower CIDR allow policy is configured and takes precedence over a broader CIDR deny policy.
Note:
This is only exploitable if enableDefaultDeny: false or - toEntities: all is specified in the narrower allow policy.
Workaround
This vulnerability can be mitigated by removing the enableDefaultDeny: false configuration option and explicitly defining any allow rules required. No workaround is available to users with egress policies that explicitly specify toEntities: all.