Skip to content

Constallation has pods exposed to peers in VPC

High severity GitHub Reviewed Published Apr 15, 2024 in edgelesssys/constellation • Updated Jun 4, 2024

Package

gomod github.com/edgelesssys/constellation/v2 (Go)

Affected versions

< 2.16.3

Patched versions

2.16.3

Description

Impact

Cilium allows outside actors (world entity) to directly access pods with their internal pod IP, even if they are not exposed explicitly (e.g. via LoadBalancer). A pod that does not authenticate clients and that does not exclude world traffic via network policy may leak sensitive data to an attacker inside the cloud VPC.

Patches

The issue has been patched in v2.16.3.

Workarounds

This network policy excludes all world traffic. It mitigates the problem, but will also block all desired external traffic. If vulnerable pods are known, a policy can be crafted to only firewall those instead (see also https://docs.cilium.io/en/stable/security/policy/language/#access-to-from-outside-cluster).

apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: "from-world-to-role-public"
spec:
  endpointSelector:
    matchLabels: {}
    #  role: public
  ingressDeny:
    - fromEntities:
      - world

References

The tracking bug for a Cilium-side fix is cilium/cilium#25626.

References

@burgerdev burgerdev published to edgelesssys/constellation Apr 15, 2024
Published to the GitHub Advisory Database Apr 15, 2024
Reviewed Apr 15, 2024
Last updated Jun 4, 2024

Severity

High

EPSS score

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-g8fc-vrcg-8vjg

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.