CVE-2023-41333

Name of the Vulnerable Software and Affected Versions Cilium versions prior to 1.14.2 Cilium versions prior to 1.13.7 Cilium versions prior to 1.12.14

Description An attacker with the ability to create or modify CiliumNetworkPolicy objects in a particular namespace can affect traffic on an entire Cilium cluster, potentially bypassing policy enforcement in other namespaces. By using a crafted endpointSelector that uses the DoesNotExist operator on the reserved:init label, the attacker can create policies that bypass namespace restrictions and affect the entire Cilium cluster, including potentially allowing or denying all traffic. This attack requires API server access.

Recommendations For versions prior to 1.14.2, update to version 1.14.2 or later. For versions prior to 1.13.7, update to version 1.13.7 or later. For versions prior to 1.12.14, update to version 1.12.14 or later. As a temporary workaround, consider using an admission webhook to prevent the use of endpointSelectors that use the DoesNotExist operator on the reserved:init label in CiliumNetworkPolicies.