摘要:
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.14.14 and 1.15.8, a race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass. This issue has been patched in Cilium v1.14.14 and v1.15.8 As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected.
安全等级: Low
公告ID: KylinSec-SA-2025-2434
发布日期: 2025年5月30日
关联CVE: CVE-2024-42488
Cilium是一款集网络连接、可观测性与安全功能于一体的解决方案,其数据平面基于eBPF技术实现。在1.14.14和1.15.8版本之前的版本中,Cilium代理存在竞态条件缺陷,可能导致代理忽略本应应用于节点的标签。这种情况会进一步引发针对带有被忽略标签节点的Cilium集群范围网络策略(CiliumClusterwideNetworkPolicies)失效,从而产生策略绕过风险。该问题已在Cilium v1.14.14和v1.15.8版本中修复。由于根本问题源于竞态条件,若用户暂时无法升级,可通过在受影响节点上重启Cilium代理来缓解问题,直至确认相关策略能按预期生效。
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2024-42488 | KY3.4-5A | cilium | Unaffected |
| CVE-2024-42488 | V6 | cilium | Unaffected |
