{ "schema_version": "1.4.0", "id": "GHSA-24qp-4xx8-3jvj", "modified": "2025-03-24T21:47:14Z", "published": "2025-03-24T19:05:04Z", "aliases": [ "CVE-2025-30162" ], "summary": "Cilium East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers", "details": "### Impact\n\nFor Cilium users who:\n- Use Gateway API for Ingress for some services **AND**\n- Use [LB-IPAM](https://docs.cilium.io/en/stable/network/lb-ipam/) or BGP for LB Service implementation **AND**\n- Use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces\n\nEgress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed.\n\nLoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue.\n\n### Patches\n\nThis issue was fixed by https://github.com/cilium/proxy/pull/1172.\n\nThis issue affects:\n\n- Cilium v1.15 between v1.15.0 and v1.15.14 inclusive\n- Cilium v1.16 between v1.16.0 and v1.16.7 inclusive\n- Cilium v1.17 between v1.17.0 and v1.17.1 inclusive\n\nThis issue is fixed in:\n\n- Cilium v1.15.15\n- Cilium v1.16.8\n- Cilium v1.17.2\n\n### Workarounds\n\nA Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade. An outline of such a policy is provided below:\n\n```\napiVersion: \"cilium.io/v2\"\nkind: CiliumClusterwideNetworkPolicy\nmetadata:\n name: \"workaround\"\nspec:\n endpointSelector:\n matchExpressions:\n - key: reserved:ingress\n operator: Exists\n ingress:\n - fromEntities:\n - world\n```\n\n- The policy opens up connectivity from all locations outside the cluster into the Cilium Ingress Gateway.\n- The policy establishes a default deny for all other traffic towards the Cilium Ingress Gateway, including all in-cluster sources.\n- It is possible to tailor the policy to more narrowly allow inbound traffic while creating a default deny posture for traffic between namespaces. Users should edit the policy to bring it in line with the security requirements particular to their environments.\n\n### Acknowledgements\n\nThe Cilium community has worked together with members of the Isovalent team to prepare these mitigations. Special thanks to @jrajahalme for the fix.\n\n### For more information\n\nIf you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list for the Cilium security team, and your report will be treated as top priority.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/cilium/cilium" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.16.0" }, { "fixed": "1.16.8" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/cilium/cilium" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.17.0" }, { "fixed": "1.17.2" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/cilium/cilium" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.15.0" }, { "fixed": "1.15.15" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/cilium/cilium/security/advisories/GHSA-24qp-4xx8-3jvj" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30162" }, { "type": "WEB", "url": "https://github.com/cilium/proxy/pull/1172" }, { "type": "WEB", "url": "https://docs.cilium.io/en/stable/network/lb-ipam" }, { "type": "PACKAGE", "url": "https://github.com/cilium/cilium" } ], "database_specific": { "cwe_ids": [ "CWE-863" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2025-03-24T19:05:04Z", "nvd_published_at": "2025-03-24T19:15:52Z" } }