CVE-2023-28841

Name of the Vulnerable Software and Affected Versions Moby versions prior to 23.0.3 Moby versions prior to 20.10.24 Mirantis Container Runtime versions prior to 20.10.16

Description The issue is related to the encrypted overlay network feature in Moby's Swarm Mode. Encrypted overlay networks function by encapsulating VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. However, on affected platforms, these networks silently transmit unencrypted data, which may appear to be functional but lacks the expected confidentiality and data integrity guarantees. An attacker in a trusted position on the network can read all application traffic moving across the overlay network, resulting in unexpected secrets or user data disclosure. Many database protocols and internal APIs are not protected by a second layer of encryption, so users may rely on Swarm encrypted overlay networks for confidentiality, which is no longer guaranteed due to this vulnerability.

Recommendations Update to Moby release 23.0.3 or later. Update to Moby release 20.10.24 or later. Update to Mirantis Container Runtime version 20.10.16 or later. As a temporary workaround, close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary to prevent unintentionally leaking unencrypted traffic over the Internet. Ensure that the xt u32 kernel module is available on all nodes of the Swarm cluster.