CVE-2024-28249

Name of the Vulnerable Software and Affected Versions Cilium versions prior to 1.13.13 Cilium versions prior to 1.14.8 Cilium versions prior to 1.15.2 Cilium versions 1.4 through 1.12

Description In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on other nodes is sent unencrypted, and IPsec-eligible traffic between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue affects connections selected by a L7 Egress Network Policy or a DNS Policy in native routing mode, which is a known limitation of Cilium's IPsec encryption.

Recommendations For Cilium versions prior to 1.13.13, update to version 1.13.13 or later. For Cilium versions prior to 1.14.8, update to version 1.14.8 or later. For Cilium versions prior to 1.15.2, update to version 1.15.2 or later. For Cilium versions 1.4 through 1.12, update to a version outside of this range, such as 1.13.13, 1.14.8, or 1.15.2. As a temporary workaround is not available, updating to the specified versions is the recommended course of action.