CVE-2024-42488

### Impact A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass. ### Patches This issue was fixed in https://github.com/cilium/cilium/pull/33511. This issue affects: - All versions of Cilium before v1.14.14 - Cilium v1.15 between v1.15.0 and v1.15.7 inclusive This issue has been patched in: - Cilium v1.14.14 - Cilium v1.15.8 ### Workarounds As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected. ### Acknowledgements The Cilium community has worked together with members of Google and Isovalent to prepare these mitigations. Special thanks to @skmatti for raising and resolving this issue. ### For more information If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack). If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [[email protected]](mailto:[email protected]). This is a private mailing list for the Cilium security team, and your report will be treated as top priority.