GHSA-q7w8-72mr-vpgw

### Impact

A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass.

### Patches

This issue was fixed in https://github.com/cilium/cilium/pull/33511.

This issue affects:

- All versions of Cilium before v1.14.14
- Cilium v1.15 between v1.15.0 and v1.15.7 inclusive

This issue has been patched in:

- Cilium v1.14.14
- Cilium v1.15.8

### Workarounds

As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected.

### Acknowledgements

The Cilium community has worked together with members of Google and Isovalent to prepare these mitigations. Special thanks to @skmatti for raising and resolving this issue.

### For more information

If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [[email protected]](mailto:[email protected]). This is a private mailing list for the Cilium security team, and your report will be treated as top priority.