fix(deps): update module github.com/cilium/cilium to v1.15.10 [security] (v1.1)

[cilium-renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/cilium/cilium	require	patch	v1.15.8 -> v1.15.10

---

Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present

BIT-cilium-2024-47825 / BIT-cilium-operator-2024-47825 / BIT-hubble-relay-2024-47825 / CVE-2024-47825 / GHSA-3wwx-63fv-pfq6

More information

Details

Impact

A policy rule denying a prefix that is broader than /32 may be ignored if there is

• A policy rule referencing a more narrow prefix (CIDRSet or toFQDN) and
• This narrower policy rule specifies either enableDefaultDeny: false or - toEntities: all

Note that a rule specifying toEntities: world or toEntities: 0.0.0.0/0 is insufficient, it must be to entity all.

As an example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied:

apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: block-scary-range
spec:
  endpointSelector: {}
  egressDeny:
  - toCIDRSet:
    - cidr: 1.0.0.0/8

---

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: evade-deny
spec:
  endpointSelector: {}
  egress:
  - toCIDR:
    - 1.1.1.2/32
  - toEntities:
    - all

Patches

This issue affects:

• Cilium v1.14 between v1.14.0 and v1.14.15 inclusive
• Cilium v1.15 between v1.15.0 and v1.15.9 inclusive

This issue has been patched in:

• Cilium v1.14.16
• Cilium v1.15.10

Workarounds

Users with policies using enableDefaultDeny: false can work around this issue by removing this configuration option and explicitly defining any allow rules required.

No workaround is available to users with egress policies that explicitly specify toEntities: all.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​squeed, @​christarazi, and @​jrajahalme for their work in triaging and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated with top priority.

Severity

• CVSS Score: 4.0 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

References

• https://github.com/cilium/cilium/security/advisories/GHSA-3wwx-63fv-pfq6
• https://nvd.nist.gov/vuln/detail/CVE-2024-47825
• https://github.com/cilium/cilium/commit/02d28d9ac9afcaddd301fae6fb4d6cda8c2d0c45
• https://github.com/cilium/cilium/commit/9c01afb5646af3f0c696421a410dc66c513b6524
• https://github.com/cilium/cilium

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.15.10: 1.15.10

Compare Source

Summary of Changes

Minor Changes:

• bpf: do not invoke llc from Makefiles (Backport PR #​35168, Upstream PR #​29459, @​lmb)

Bugfixes:

• bugtool: fix cilium-health command (Backport PR #​35276, Upstream PR #​35068, @​ayuspin)
• Fix a bug in Cilium's kube-proxy replacement, where replies by a local backend are dropped with DROP_NO_FIB. (Backport PR #​34917, Upstream PR #​34303, @​julianwiedmann)
• Fix issue where bpf packet buffer mark would in some cases set incorrect mark value resulting in incorrectly SNATed traffic. (Backport PR #​35037, Upstream PR #​34789, @​tommyp1ckles)
• Fixed bug in LB-IPAM where restarting the operator would unshare previously shared IPs between services (Backport PR #​35037, Upstream PR #​34783, @​dylandreimerink)
• Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport PR #​35276, Upstream PR #​35109, @​jrajahalme)
• Fixed bug where service id allocator would loop infinity when out of service ids (Backport PR #​35276, Upstream PR #​35033, @​WeeNews)
• Fixes deadlock in identity watcher. This fixes an issue where a kvstore disconnect can cause the event receiver to exit and the event sender to get stuck forever. (Backport PR #​35276, Upstream PR #​34611, @​dboslee)
• Fixes startup fatal error when updating CiliumNode resource. (Backport PR #​34917, Upstream PR #​34862, @​harsimran-pabla)
• gateway-api: Align GRPCRoute matchers with GEP specification (Backport PR #​35276, Upstream PR #​34808, @​cfsnyder)

CI Changes:

• .github/lint-build-commits: fix workflow for push events (Backport PR #​35276, Upstream PR #​35264, @​aanm)
• .github: create cache directories on cache miss (Backport PR #​35168, Upstream PR #​35088, @​aanm)
• .github: do not push floating tag from PRs (Backport PR #​35168, Upstream PR #​35227, @​aanm)
• .github: install golang action after checkout (Backport PR #​35168, Upstream PR #​34843, @​aanm)
• .github: re-enable configurations in e2e-upgrade (Backport PR #​35168, Upstream PR #​34800, @​aanm)
• .github: specify cache-dependency-path in lint-workflows (Backport PR #​35168, Upstream PR #​34845, @​aanm)
• [v1.15] ci: fix check generated documentation (#​35261, @​mhofstetter)
• ci: conformance-[gateway-api|ginkgo|ingress] wait for images before matrix generation (Backport PR #​34917, Upstream PR #​34820, @​aanm)
• ci: increase wait duration after upgrade/downgrade in E2E upgrade test (Backport PR #​35168, Upstream PR #​32528, @​mhofstetter)
• fix: repository nil value handled on workflow_dispatch context for renovate updates (Backport PR #​34917, Upstream PR #​34902, @​Artyop)
• servicemesh, ci: run internal to NodePort test (Backport PR #​35276, Upstream PR #​35177, @​marseel)

Misc Changes:

• .github: add cache to cilium-cli and hubble-cli build workflows (Backport PR #​35168, Upstream PR #​34847, @​aanm)
• .github: clean up disk for lint-build workflow (Backport PR #​35168, Upstream PR #​35141, @​aanm)
• .github: fix build image process to commit changes (Backport PR #​35276, Upstream PR #​35262, @​aanm)
• .github: fix lvh-kind warnings (Backport PR #​35168, Upstream PR #​34811, @​aanm)
• .github: fix runtime image digests (Backport PR #​35118, Upstream PR #​35107, @​aanm)
• [v1.15] helm: bump certgen to v0.1.15 (#​35034, @​kaworu)
• Change GH runners to GH's default (Backport PR #​35168, Upstream PR #​33451, @​aanm)
• chore(deps): update all github action dependencies (v1.15) (#​35027, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (#​35092, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (#​35251, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​35026, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.18 (v1.15) (#​35000, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.19 (v1.15) (#​35202, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/hubble to v1.16.2 (v1.15) (#​35241, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.7 docker digest to ddad330 (v1.15) (#​35091, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.8 (v1.15) (#​35203, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727272937-c0c0c5f38d338b330d891b304ab5ed6c6d7bcec4 (v1.15) (#​35083, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727741018-e3a7412f65722ebbe34254b3582b89d315765d0d (v1.15) (#​35138, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727997080-b094128ed01b784b63ada19b54f8c7fdc3042e6e (v1.15) (#​35219, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd (v1.15) (#​35284, @​cilium-renovate[bot])
• helm: set key usages for hubble certificates with cert-manager (Backport PR #​35037, Upstream PR #​34946, @​kaworu)
• images/builder: get rid of annoying git ownership warnings (Backport PR #​35276, Upstream PR #​31538, @​ti-mo)
• Improve speed on lint commits GH workflow (Backport PR #​35168, Upstream PR #​34848, @​aanm)
• Re-write GitHub cache usages across workflows (Backport PR #​35168, Upstream PR #​34866, @​aanm)
• Remove conformance-e2e tests (Backport PR #​35168, Upstream PR #​34742, @​aanm)

Other Changes:

• [v1.15] test/k8s: replace L7 visibility Pod annotations by L7 visibility policy (#​35152, @​tklauser)
• install: Update image digests for v1.15.9 (#​35051, @​cilium-release-bot[bot])
• policy: Fix breakages on v1.15 branch (#​35300, @​christarazi)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.10@​sha256:cd096a343861d48e2849b403f0c410bfbb36e64d042f0692b73b93c97d94d9bd

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.10@​sha256:0d8d5490fa6097d4e7539ffcec705dd25f3f992f29528d6ec999497a02cb1399

docker-plugin

quay.io/cilium/docker-plugin:v1.15.10@​sha256:2cb1f30f87c29d5f98b7a59f743c40a1474d2b1e615153a6799a92389d1aa074

hubble-relay

quay.io/cilium/hubble-relay:v1.15.10@​sha256:d4378eb133a6bdf39f50d874b59b72f95d0da2e78bd545b3c053f3c479f593b2

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.10@​sha256:c78ac42e043f9e77172250a1b6997bbcd8356bb8fe7a4784deaea049207ceb9f

operator-aws

quay.io/cilium/operator-aws:v1.15.10@​sha256:c1af1bae559cd0dd9a1867a4ede95f1fef07e3de173b2b82638ebd7d91256ea0

operator-azure

quay.io/cilium/operator-azure:v1.15.10@​sha256:6cd04b35320824a50b43aa5d7fbfa6d11826f6c5ec8e4853da04a28aa3531695

operator-generic

quay.io/cilium/operator-generic:v1.15.10@​sha256:2f49dca6f9692e317601ae8b5bad7d2dc50cedad38cc8d410db14c1fc57719e4

operator

quay.io/cilium/operator:v1.15.10@​sha256:d1c10ea451c3b3d6cd62984fa653974482ffe8e083497f4e4b011d8ab5dbe964

v1.15.9: 1.15.9

Compare Source

We are happy to release Cilium v1.15.9!

This release brings us upstream filter chains for L7 LB policy enforcement, BGP (and other!) bugfixes, CI changes and many many more!

Check out the summary below for details.

Summary of Changes

Minor Changes:

• cilium-envoy now uses upstream filter chains for L7 LB policy enforcement. (Backport PR #​34457, Upstream PR #​32119, @​jrajahalme)
• docs: Update examples for CNP L7 Host (Backport PR #​34645, Upstream PR #​34578, @​sayboras)

Bugfixes:

• BGPv1 + BGPv2: Fix incorrect service reconciliation in setups with multiple BGP instances (virtual routers) (#​34331, @​rastislavs)
• config: fix disabling config 'Debug' (Backport PR #​34470, Upstream PR #​34401, @​mhofstetter)
• daemon: Fix error logic flow for pod store being out of date (Backport PR #​34587, Upstream PR #​34389, @​christarazi)
• envoy: fix log level mapping when changing log level via API (Backport PR #​34456, Upstream PR #​34400, @​mhofstetter)
• Fix synchronization of CiliumEndpointSlices when running the Cilium Operator in identity-based slicing mode. (Backport PR #​34456, Upstream PR #​32239, @​thorn3r)
• Fix the Egress Gateway reconciliation logic to make progress after setting the rp_filter sysctl failed. (Backport PR #​34830, Upstream PR #​34775, @​julianwiedmann)
• helm: fix envoy prometheus metrics scraping with servicemonitor (Backport PR #​34473, Upstream PR #​34448, @​mhofstetter)
• ingress: Avoid opening of port 80 for TLSPassthrough only (Backport PR #​34598, Upstream PR #​34474, @​sayboras)
• ipcache: Yet another refcounting fix with mix of APIs (Backport PR #​34933, Upstream PR #​34715, @​gandro)
• lbipam: fix panic when changing the shared key & req. ip annotation (Backport PR #​34456, Upstream PR #​34236, @​mhofstetter)

CI Changes:

• .github: change nick-invision/retry -> nick-fields/retry. (#​34736, @​michi-covalent)
• bgpv1/test: fix route matching in PodIPPoolAdvert test (Backport PR #​34456, Upstream PR #​34270, @​rastislavs)
• ci: clean disk only on ubuntu-latest runners (Backport PR #​34830, Upstream PR #​34711, @​marseel)
• ci: Confromance E2E wait for images before matrix generation (Backport PR #​34830, Upstream PR #​34707, @​marseel)
• ci: don't run AKS tests on LTS versions (Backport PR #​34645, Upstream PR #​34640, @​marseel)
• ci: multi pool run tests concurrently (Backport PR #​34299, Upstream PR #​33945, @​viktor-kurchenko)
• ci: Wait for images before generating test matrix (Backport PR #​34830, Upstream PR #​34727, @​marseel)
• Fix: push PR changes when renovate build images under the workflow_call context (Backport PR #​34830, Upstream PR #​34650, @​Artyop)
• gha: Add disk cleanup step for build and test workflow (Backport PR #​34456, Upstream PR #​34339, @​sayboras)
• gha: Free up Github runner disk space (Backport PR #​34299, Upstream PR #​34247, @​sayboras)

Misc Changes:

• Add source IP visibility info to Ingress and Gateway API docs (Backport PR #​34299, Upstream PR #​34137, @​youngnick)
• Add source IP visibility info to Ingress and Gateway API docs (Backport PR #​34367, Upstream PR #​34137, @​youngnick)
• chore(deps): update all github action dependencies (v1.15) (#​34571, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (#​34750, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (patch) (#​34570, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​34696, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​34904, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.15 (v1.15) (#​34119, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.16 (v1.15) (#​34507, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.17 (v1.15) (#​34884, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/hubble to v1.16.1 (v1.15) (#​34851, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.19.4 (v1.15) (#​34761, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.7 docker digest to 4594271 (v1.15) (#​34900, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.7 (v1.15) (#​34733, @​cilium-renovate[bot])
• chore: Avoid docker warning due to casing (Backport PR #​34857, Upstream PR #​34125, @​sayboras)
• cilium-dbg: add Envoy admin commands (Backport PR #​34587, Upstream PR #​34398, @​mhofstetter)
• docs: Avoid using wildcard TLS certificate (Backport PR #​34830, Upstream PR #​34609, @​sayboras)
• docs: Improve Ingress documentation (Backport PR #​34367, Upstream PR #​33698, @​youngnick)
• Documentation: Update readthedocs configuration (Backport PR #​34299, Upstream PR #​34190, @​joestringer)
• endpoint: Do not pass a function to WithFields (Backport PR #​34456, Upstream PR #​34346, @​jrajahalme)
• fix: base image update workflow will now be triggered on renovate branches with a workflow_call event type (Backport PR #​34456, Upstream PR #​34372, @​Artyop)
• images: fix path script (Backport PR #​34767, Upstream PR #​34764, @​aanm)
• ipsec: Document a new cause of XfrmInStateProtoError (Backport PR #​34587, Upstream PR #​34221, @​jschwinger233)
• pkg/endpointmanager: don't hold lock while iterating over subscribers (Backport PR #​34587, Upstream PR #​33896, @​aanm)

Other Changes:

• [v1.15] CODEOWNERS: switch cilium/tophat to cilium/committers (#​34889, @​julianwiedmann)
• [v1.15] envoy: Bump envoy version from v1.29.7 to v1.29.9 (#​34965, @​sayboras)
• [v1.15] envoy: Switch to image with timestamp tag (#​34394, @​sayboras)
• envoy: Bump golang version (#​34327, @​sayboras)
• install: Update image digests for v1.15.8 (#​34376, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.9@​sha256:c2a4c57a6baf758e975fbefbf638476906d1bb0c970e9547d216d9ea7b6471e3

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.9@​sha256:ec82fb96dd0fbac4c6de333aaf8f7964a74c2194a3afdf765b3c260433a4aeed

docker-plugin

quay.io/cilium/docker-plugin:v1.15.9@​sha256:1a86463fd5b38b5930069045af141ee577ead4c26f8ba4d4a532d1aa3f38a709

hubble-relay

quay.io/cilium/hubble-relay:v1.15.9@​sha256:421afd9f4e46a7b9834f0542ceca6e8652ec0598982126dc2dd1dcf0dd690631

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.9@​sha256:9fe2c3c6d49d4f501067ec525a3d792da17d055ebcefa37f4fbb5698109d217b

operator-aws

quay.io/cilium/operator-aws:v1.15.9@​sha256:8c2b4a4d4d6ebf1c37a6ae72da2279286729a4982bf124d98f4bcc2db5eeb5e6

operator-azure

quay.io/cilium/operator-azure:v1.15.9@​sha256:9b02e12c56b08d50eb1540d6cbb1119eee639a9795c752c4904311d03889d7fe

operator-generic

quay.io/cilium/operator-generic:v1.15.9@​sha256:0ec30b4df0d097aedcbcb41748f10ce397f9656c128bea7e227b6bfd820f6d76

operator

quay.io/cilium/operator:v1.15.9@​sha256:9ed87c339762c5b5422bd284e9672f6fedcee2aba376a5aa1328223c39bd9914

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[kkourt]

Failure seems like a flake. Opened an issue: #3050