摘要:
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In versions on the 1.15.x branch prior to 1.15.8 and the 1.16.x branch prior to 1.16.1, ReferenceGrant changes are not correctly propagated in Cilium's GatewayAPI controller, which could lead to Gateway resources being able to access secrets for longer than intended, or to Routes having the ability to forward traffic to backends in other namespaces for longer than intended. This issue has been patched in Cilium v1.15.8 and v1.16.1. As a workaround, any modification of a related Gateway/HTTPRoute/GRPCRoute/TCPRoute CRD (for example, adding any label to any of these resources) will trigger a reconciliation of ReferenceGrants on an affected cluster.
安全等级: Low
公告ID: KylinSec-SA-2025-2435
发布日期: 2025年5月30日
关联CVE: CVE-2024-42486
Cilium是一款集网络、可观测性与安全功能于一体的解决方案,其数据平面基于eBPF技术。在1.15.x分支中1.15.8之前的版本以及1.16.x分支中1.16.1之前的版本中,Cilium的GatewayAPI控制器未能正确传播ReferenceGrant变更。这可能导致网关资源访问机密信息的时间超出预期,或路由将流量转发至其他命名空间后端的能力持续超出预期时长。该问题已通过Cilium v1.15.8和v1.16.1修复。作为临时缓解措施,对相关Gateway/HTTPRoute/GRPCRoute/TCPRoute CRD进行任何修改(例如为这些资源添加标签),均会触发受影响集群上的ReferenceGrants协调机制。
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2024-42486 | KY3.4-5A | cilium | Unaffected |
| CVE-2024-42486 | V6 | cilium | Unaffected |
