CVE-2024-25630: Unencrypted ingress/health traffic when using Wireguard transparent encryption

February 20, 2024 (updated December 18, 2024)

For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, responses from pods to the Ingress and health endpoints are not encrypted. Traffic from the Ingress and health endpoints to pods is not affected by this issue. The health endpoint is only used for Cilium’s internal health checks.

References

docs.cilium.io/en/stable/security/network/encryption-wireguard/
github.com/advisories/GHSA-7496-fgv9-xw82
github.com/cilium/cilium
github.com/cilium/cilium/releases/tag/v1.14.7
github.com/cilium/cilium/security/advisories/GHSA-7496-fgv9-xw82
nvd.nist.gov/vuln/detail/CVE-2024-25630

Code Behaviors & Features

Detect and mitigate CVE-2024-25630 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →