{"id":"GHSA-q7w8-72mr-vpgw","summary":"Policy bypass for Host Firewall policy due to race condition in Cilium agent","details":"### Impact\n\nA race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass.\n\n### Patches\n\nThis issue was fixed in https://github.com/cilium/cilium/pull/33511.\n\nThis issue affects:\n\n- All versions of Cilium before v1.14.14\n- Cilium v1.15 between v1.15.0 and v1.15.7 inclusive\n\nThis issue has been patched in:\n\n- Cilium v1.14.14\n- Cilium v1.15.8\n\n### Workarounds\n\nAs the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected.\n\n### Acknowledgements\n\nThe Cilium community has worked together with members of Google and Isovalent to prepare these mitigations. Special thanks to @skmatti for raising and resolving this issue.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).\n\nIf you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list for the Cilium security team, and your report will be treated as top priority.\n","aliases":["BIT-cilium-2024-42488","BIT-cilium-operator-2024-42488","BIT-hubble-relay-2024-42488","CVE-2024-42488","GO-2024-3072"],"modified":"2026-02-04T03:59:51.962698Z","published":"2024-08-15T21:43:38Z","related":["CGA-rf49-j95f-4423"],"database_specific":{"github_reviewed_at":"2024-08-15T21:43:38Z","nvd_published_at":"2024-08-15T21:15:17Z","cwe_ids":["CWE-362"],"github_reviewed":true,"severity":"MODERATE"},"references":[{"type":"WEB","url":"https://github.com/cilium/cilium/security/advisories/GHSA-q7w8-72mr-vpgw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42488"},{"type":"WEB","url":"https://github.com/cilium/cilium/pull/33511"},{"type":"WEB","url":"https://github.com/cilium/cilium/commit/7877db09b3f34d3081a1d66459b8fa6603dc3d30"},{"type":"WEB","url":"https://github.com/cilium/cilium/commit/aa44dd148a9be95e07782e4f990e61678ef0abf8"},{"type":"WEB","url":"https://github.com/cilium/cilium/commit/f81a1ee0cfdec928980db8640def984b2eeaa134"},{"type":"PACKAGE","url":"https://github.com/cilium/cilium"}],"affected":[{"package":{"name":"github.com/cilium/cilium","ecosystem":"Go","purl":"pkg:golang/github.com/cilium/cilium"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.14.14"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-q7w8-72mr-vpgw/GHSA-q7w8-72mr-vpgw.json"}},{"package":{"name":"github.com/cilium/cilium","ecosystem":"Go","purl":"pkg:golang/github.com/cilium/cilium"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.15.0"},{"fixed":"1.15.8"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-q7w8-72mr-vpgw/GHSA-q7w8-72mr-vpgw.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"}]}