摘要:
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade.
安全等级: Low
公告ID: KylinSec-SA-2025-2386
发布日期: 2025年4月28日
关联CVE: CVE-2025-30162
Cilium是一款基于eBPF的数据平面解决方案,提供网络、可观测性和安全功能。对于同时满足以下条件的Cilium用户:使用Gateway API为部分服务配置Ingress、使用LB-IPAM或BGP实现LB Service、并配置了网络策略以阻止工作负载跨命名空间的出口流量,存在一个安全问题:此类网络策略会错误地允许受管控工作负载访问通过Gateway资源配置的LoadBalancer的出口流量。未通过Gateway API配置的LoadBalancer资源不受此问题影响。
受影响版本包括:
Cilium v1.15.0至v1.15.14(含)
v1.16.0至v1.16.7(含)
v1.17.0至v1.17.1(含)
该问题已在以下版本中修复:
v1.15.15
v1.16.8
v1.17.2
无法升级的用户可以通过配置Clusterwide Cilium Network Policy来规避此问题。
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2025-30162 | KY3.4-5A | cilium | Unaffected |
| CVE-2025-30162 | V6 | cilium | Unaffected |
