Vulnerability Details : CVE-2023-41332
Potential exploit
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In Cilium clusters where Cilium's Layer 7 proxy has been disabled, creating workloads with `policy.cilium.io/proxy-visibility` annotations (in Cilium >= v1.13) or `io.cilium.proxy-visibility` annotations (in Cilium <= v1.12) causes the Cilium agent to segfault on the node to which the workload is assigned. Existing traffic on the affected node will continue to flow, but the Cilium agent on the node will not able to process changes to workloads running on the node. This will also prevent workloads from being able to start on the affected node. The denial of service will be limited to the node on which the workload is scheduled, however an attacker may be able to schedule workloads on the node of their choosing, which could lead to targeted attacks. This issue has been resolved in Cilium versions 1.14.2, 1.13.7, and 1.12.14. Users unable to upgrade can avoid this denial of service attack by enabling the Layer 7 proxy.
Vulnerability category: Denial of service
Products affected by CVE-2023-41332
- cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*
- cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*
- cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-41332
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 19 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-41332
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
2.1
|
1.4
|
NIST | |
3.5
|
LOW | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
2.1
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2023-41332
-
The product does not handle or incorrectly handles an exceptional condition.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-41332
-
https://github.com/cilium/cilium/pull/27597
proxy: Ignore visibility annotation if proxy is disabled by sayboras · Pull Request #27597 · cilium/cilium · GitHubExploit;Issue Tracking;Patch
-
https://github.com/cilium/cilium/security/advisories/GHSA-24m5-r6hv-ccgp
DoS via Kubernetes annotations in specific Cilium configurations · Advisory · cilium/cilium · GitHubExploit;Mitigation;Patch;Third Party Advisory
Jump to