x/vulndb: potential Go vuln in github.com/cilium/cilium: GHSA-c66w-hq56-4q97

[GoVulnBot]

In GitHub Security Advisory GHSA-c66w-hq56-4q97, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/cilium/cilium	1.9.5	>= 1.9.0, <= 1.9.4

See doc/triage.md for instructions on how to triage this report.

package: github.com/cilium/cilium
additional_packages:
  - package: github.com/cilium/cilium
    versions:
      - introduced: TODO (earliest fixed "1.8.8", vuln range ">= 1.8.3, <= 1.8.7")
  - package: github.com/cilium/cilium
    versions:
      - introduced: TODO (earliest fixed "1.7.15", vuln range ">= 1.7.8, <= 1.7.14")
versions:
  - introduced: TODO (earliest fixed "1.9.5", vuln range ">= 1.9.0, <= 1.9.4")
description: "## Impact\n\nUnder certain conditions, ICMP Echo Request sent to a Cilium
    endpoint from an actor may bypass a network policy which _disallows_ access from
    the actor to the endpoint, but _allows_ from the endpoint to the actor. This does
    _NOT_ apply to UDP and TCP traffic.\n\nThe actor is either a pod or a cluster
    host or a remote host.\n\nThe following conditions must be met:\n1. Network policies
    have been created which:\n  a) do not allow access from the actor to the endpoint;\n
    \ b) allow access from the endpoint to the actor and does not specify neither
    protocol nor port. \n2. The endpoint has sent ICMP Echo Request to the actor with
    the ICMP identifier X.\n3. The actor sends ICMP Echo Request to the endpoint with
    the same ICMP identifier X.\n4. The request from the actor (3.) is sent before
    the Cilium's conntrack GC has removed the previously created conntrack entry (2.).\n\n##
    Detailed description\n\nSee https://github.com/cilium/cilium/commit/dfb008a9099c4da1e0fd964c899c43ee13280b0e
    (v1.9.x), https://github.com/cilium/cilium/commit/ff6ebae6efca1bd991302b464dea428512823e79
    (v1.8.x), https://github.com/cilium/cilium/commit/472bbeff75161979c317ab21d563f826291b5f37
    (v1.7.x).\n\n## Example\n\n```\n$ kubectl run server --image=quay.io/cilium/net-test:v1.0.0
    --restart=Never -- sleep 3600\n$ kubectl run client --image=quay.io/cilium/net-test:v1.0.0
    --restart=Never -- sleep 3600\n$ cat <<EOF | kubectl apply -f\napiVersion: networking.k8s.io/v1\nkind:
    NetworkPolicy\nmetadata:\n  name: server-netpol # allow client->server\nspec:\n
    \ podSelector:\n    matchLabels:\n      run: server\n  ingress:\n  - from:\n    -
    podSelector:\n        matchLabels:\n          run: client\n  policyTypes:\n  -
    Ingress\n---\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n
    \ name: client-netpol # deny any->client\nspec:\n  podSelector:\n    matchLabels:\n
    \     run: client\n  policyTypes:\n  - Ingress\nEOF\n\n$ kubectl exec -ti server
    -- xping -c1 -x666 $CLIENT_POD_IP\nPING 10.154.0.50 (10.154.0.50): 56 data bytes\n^C\n---
    10.154.0.50 ping statistics ---\n1 packets transmitted, 0 packets received, 100%
    packet loss   <--- \"client-netpol\" policy denied\ncommand terminated with exit
    code 1\n\n$ kubectl exec -ti client -- xping -c1 -x666 $SERVER_POD_IP\nPING 10.154.1.16
    (10.154.1.16): 56 data bytes\n64 bytes from 10.154.1.16: seq=0 ttl=60 time=0.822
    ms\n\n--- 10.154.1.16 ping statistics ---\n1 packets transmitted, 1 packets received,
    0% packet loss   <--- \"server-netpol\" policy allowed\nround-trip min/avg/max
    = 0.822/0.822/0.822 ms\n\n$ kubectl exec -ti server -- xping -c1 -x666 $CLIENT_POD_IP\nPING
    10.154.0.50 (10.154.0.50): 56 data bytes\n64 bytes from 10.154.0.50: seq=0 ttl=60
    time=0.527 ms\n\n--- 10.154.0.50 ping statistics ---\n1 packets transmitted, 1
    packets received, 0% packet loss   <--- \"client-netpol\" policy bypassed\nround-trip
    min/avg/max = 0.527/0.527/0.527 ms\n```\n\n## For more information\n\nIf you have
    any questions or comments about this advisory:\n\n- Open an issue in [Cilium Issues](https://github.com/cilium/cilium/issues)\n-
    Email us at security@cilium.io"
published: 2021-05-21T14:32:37Z
last_modified: 2021-05-21T14:32:37Z
ghsas:
  - GHSA-c66w-hq56-4q97

[neild]

Vulnerability in tool.

[gopherbot]

Change https://go.dev/cl/592767 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607217 mentions this issue: data/reports: unexclude 20 reports (15)