Christarazi

**Name of the Vulnerable Software and Affected Versions** Cilium versions 1.14.0 through 1.14.15 Cilium versions 1.15.0 through 1.15.9 **Description** A policy rule denying a prefix that is broader than /32 may be ignored if there is a policy rule referencing a more narrow prefix (`CIDRSet` or `toFQDN`) and this narrower policy rule specifies either `enableDefaultDeny: false` or `- toEntities: all`. This issue affects policies using `enableDefaultDeny: false` or that set `toEntities` to `all`. For example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied. ``` apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: name: block-scary-range spec: endpointSelector: {} egressDeny: - toCIDRSet: - cidr: 1.0.0.0/8 --- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: evade-deny spec: endpointSelector: {} egress: - toCIDR: - 1.1.1.2/32 - toEntities: - all ``` **Recommendations** For users with policies using `enableDefaultDeny: false`, remove this configuration option and explicitly define any allow rules required. For users with egress policies that explicitly specify `toEntities: all`, consider using `toEntities: world` as a temporary workaround until a patch is available. Update to Cilium v1.14.16 or v1.15.10 to resolve the issue.