Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-4hc4-pgfx-3mrx #1642

Closed
GoVulnBot opened this issue Mar 17, 2023 · 0 comments
Assignees
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-4hc4-pgfx-3mrx, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/cilium/cilium 1.13.1 >= 1.13.0, < 1.13.1

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/cilium/cilium
    versions:
      - introduced: 1.13.0
        fixed: 1.13.1
    packages:
      - package: github.com/cilium/cilium
  - module: github.com/cilium/cilium
    versions:
      - introduced: 1.12.0
        fixed: 1.12.8
    packages:
      - package: github.com/cilium/cilium
  - module: github.com/cilium/cilium
    versions:
      - fixed: 1.11.15
    packages:
      - package: github.com/cilium/cilium
summary: cilium-agent container can access the host via `hostPath` mount
description: "### Impact\n\nAn attacker with access to a Cilium agent pod can write
    to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod.
    By replacing the CNI binary with their own malicious binary and waiting for the
    creation of a new pod on the node, the attacker can gain access to the underlying
    node. \n\n### Patches\n\nThe issue has been fixed and is available on versions
    >=1.11.15, >=1.12.8, >=1.13.1.\n\n### Workarounds\n\n[Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
    should be used to deny users and service accounts `exec` access to Cilium agent
    pods.\n\nIn cases where a user requires `exec` access to Cilium agent pods, but
    should not have access to the underlying node, no workaround is possible.\n\n###
    References\n\n* [PR containing resolution](https://github.com/cilium/cilium/pull/24075)\n\n###
    Acknowledgements\n\nThe Cilium community has worked together with members of Isovalent
    and Form3 to prepare these mitigations. Special thanks to Anastasios Koutlis,
    Daniel Teixeira, and Magdalena Oczadly for their cooperation. \n\n### For more
    information\n\nIf you have any questions or comments about this advisory, please
    reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).\n\nAs
    usual, if you think you found a related vulnerability, we strongly encourage you
    to report security vulnerabilities to our private security mailing list: security@cilium.io
    - first, before disclosing them in any public forums. This is a private mailing
    list where only members of the Cilium internal security team are subscribed to,
    and is treated as top priority. "
cves:
  - CVE-2023-27593
ghsas:
  - GHSA-4hc4-pgfx-3mrx
references:
  - advisory: https://github.com/cilium/cilium/security/advisories/GHSA-4hc4-pgfx-3mrx
  - fix: https://github.com/cilium/cilium/pull/24075
  - advisory: https://github.com/advisories/GHSA-4hc4-pgfx-3mrx

@jba jba self-assigned this Mar 21, 2023
@jba jba added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels Mar 21, 2023
@jba jba closed this as completed Mar 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Development

No branches or pull requests

2 participants