hubble-ui-backend-fips
0.13.0-r3
6.1
CVSS V3
Unencrypted traffic between nodes when using WireGuard and L7 policies
In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies:
This issue affects:
routingMode=native
):
routingMode=tunnel
):
encryption.wireguard.encapsulate
is set to false
(default).This issue has been resolved in:
routingMode=native
):
routingMode=tunnel
):
encryption.wireguard.encapsulate
must be set to true
.There is no workaround to this issue.
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @brb, @giorio94, @gandro and @jschwinger233 for their work on triaging and remediating this issue.
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at security@cilium.io. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.