CVE-2024-42488

low-risk

Published 2024-08-15

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.14.14 and 1.15.8, a race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass. This issue has been patched in Cilium v1.14.14 and v1.15.8 As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.8/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Cilium

Affected Vendors

Cilium

References (3)

Patch https://github.com/cilium/cilium/commit/aa44dd148a9be95e07782e4f990e61678ef0abf8

Patch https://github.com/cilium/cilium/pull/33511

Patch https://github.com/cilium/cilium/security/advisories/GHSA-q7w8-72mr-vpgw

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal