Insecure Automated Optimizations Affecting github.com/cilium/cilium/pkg/policy package, versions >=1.14.0 <1.14.16 >=1.15.0 <1.15.10
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMCILIUMCILIUMPKGPOLICY-8237189
- published 22 Oct 2024
- disclosed 21 Oct 2024
- credit Casey Callendrello, christarazi, Jarno Rajahalme
Introduced: 21 Oct 2024
CVE-2024-47825 Open this link in a new tabHow to fix?
Upgrade github.com/cilium/cilium/pkg/policy to version 1.14.16, 1.15.10 or higher.
Overview
github.com/cilium/cilium/pkg/policy is a package for eBPF-based Networking, Security, and Observability
Affected versions of this package are vulnerable to Insecure Automated Optimizations due to the interaction between broader CIDR deny policies and more specific CIDR allow policies. An attacker can bypass intended security restrictions if a narrower CIDR allow policy is configured and takes precedence over a broader CIDR deny policy.
Note:
This is only exploitable if enableDefaultDeny: false or - toEntities: all is specified in the narrower allow policy.
Workaround
This vulnerability can be mitigated by removing the enableDefaultDeny: false configuration option and explicitly defining any allow rules required. No workaround is available to users with egress policies that explicitly specify toEntities: all.