CVE-2024-47825

### Impact A policy rule denying a prefix that is broader than /32 may be ignored if there is - A policy rule referencing a more narrow prefix (`CIDRSet` or `toFQDN`) **and** - This narrower policy rule specifies either `enableDefaultDeny: false` or `- toEntities: all` Note that a rule specifying `toEntities: world` or `toEntities: 0.0.0.0/0` is insufficient, it must be to entity `all`. As an example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied: ``` apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: name: block-scary-range spec: endpointSelector: {} egressDeny: - toCIDRSet: - cidr: 1.0.0.0/8 --- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: evade-deny spec: endpointSelector: {} egress: - toCIDR: - 1.1.1.2/32 - toEntities: - all ``` ### Patches This issue affects: - Cilium v1.14 between v1.14.0 and v1.14.15 inclusive - Cilium v1.15 between v1.15.0 and v1.15.9 inclusive This issue has been patched in: - Cilium v1.14.16 - Cilium v1.15.10 ### Workarounds Users with policies using `enableDefaultDeny: false` can work around this issue by removing this configuration option and explicitly defining any allow rules required. No workaround is available to users with egress policies that explicitly specify `toEntities: all`. ### Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @squeed, @christarazi, and @jrajahalme for their work in triaging and resolving this issue. ### For more information If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack). If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [[email protected]](mailto:[email protected]). This is a private mailing list for the Cilium security team, and your report will be treated with top priority.