Bug 2305326 (CVE-2024-42486) - CVE-2024-42486 cilium/ebpf: Gateway resources continue to establish sessions using revoked ReferenceGrants
Summary: CVE-2024-42486 cilium/ebpf: Gateway resources continue to establish sessions ...
Keywords:
Status: NEW
Alias: CVE-2024-42486
Product: Security Response
Classification: Other
Component: vulnerability-draft
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2311433 2311432 2311434 2311435 2311437 2311438 2311439 2311440 2311441 2311442 2311443 2311444 2311445 2311446 2311447 2311448 2311449 2311450 2311451 2311452 2311453 2311454 2311455 2311456 2311457 2311458 2311460
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-08-16 15:20 UTC by OSIDB Bzimport
Modified: 2024-09-12 00:33 UTC (History)
38 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-08-16 15:20:45 UTC 
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In versions on the 1.15.x branch prior to 1.15.8 and the 1.16.x branch prior to 1.16.1, ReferenceGrant changes are not correctly propagated in Cilium's GatewayAPI controller, which could lead to Gateway resources being able to access secrets for longer than intended, or to Routes having the ability to forward traffic to backends in other namespaces for longer than intended. This issue has been patched in Cilium v1.15.8 and v1.16.1. As a workaround, any modification of a related Gateway/HTTPRoute/GRPCRoute/TCPRoute CRD (for example, adding any label to any of these resources) will trigger a reconciliation of ReferenceGrants on an affected cluster.
Note You need to log in before you can comment on or make changes to this bug.