Cilium
v1.17.14Networking & MessagingCilium v1.17.14 patches a security issue with Envoy's admin socket permissions and two L7 load balancer policy bypass bugs — upgrade if you use L7 LB or Envoy.
securityPatch the world-accessible Envoy admin socket immediately
The Envoy admin socket was being created with world-accessible permissions, meaning any process on the node could potentially interact with it. This is a local privilege escalation risk in multi-tenant or shared node environments. Upgrade to v1.17.14 now — there's no workaround short of restricting filesystem access externally. Check if your nodes have been running older versions and audit whether the socket was exploitable in your threat model.
securityL7 LB was allowing ingress policy bypass for local backends — fix before trusting policy enforcement
Ingress policies were not being enforced for local backends when L7 load balancing was active. If you rely on network policy to restrict east-west traffic through L7 LB, your policies may not have been effective. After upgrading, verify your ingress policies are behaving as expected, particularly for services with local endpoint backends.
enhancementBPF filesystem now included in bugtool — use it for faster incident diagnosis
The bugtool now captures 'find /sys/fs/bpf' output, which is often the first thing you need when diagnosing BPF map or program issues. No action required, but update your runbooks to note that bugtool output from v1.17.14+ will include this data by default, saving manual SSH steps during incidents.
Key changes (5)
- Envoy admin socket was created world-accessible (0777); now fixed to restrict permissions
- L7 LB on bridge devices now uses hairpin redirect correctly, fixing connectivity issues
- Ingress policies could be bypassed for local backends via L7 LB — patched
- Base images updated to v1.25.8, cilium-envoy updated to v1.35.9 with multiple patch builds
- BPF filesystem paths (/sys/fs/bpf) now included in bugtool output for easier debugging