CVE-2024-52529

Name of the Vulnerable Software and Affected Versions Cilium versions 1.16.0 through 1.16.3

Description The issue arises when there is a Layer 3 policy with a port range and a Layer 7 policy with a port within the first policy's range. In such cases, the Layer 7 policy enforcement would not occur for the traffic selected by the Layer 7 policy. This affects users who use Cilium's port range functionality, introduced in Cilium v1.16. For example, if a Layer 3 policy allows traffic to ports 80 through 444 and a Layer 7 policy allows GET requests to the /public path on port 80, requests would be permitted to all HTTP paths on matching endpoints, rather than just GET requests to the /public path as intended.

Recommendations For versions 1.16.0 through 1.16.3, users are advised to upgrade to Cilium v1.16.4, which includes the patch for this issue. As a temporary workaround, users with network policies that match the pattern described above can work around the issue by rewriting any policies that use port ranges to individually specify the ports permitted for traffic.