7.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29179

GHSA ID

GHSA-fmrf-gvjp-5j5g

EPSS Score

0.43947%

CWE

CWE-269

Published

5/24/2022

Updated

1/30/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-29179

CVE-2022-29179: Improper Privilege Management in Cilium

Impact

If an attacker is able to perform a container escape of a container running as root on a host where Cilium is installed, the attacker can leverage Cilium's Kubernetes service account to gain access to cluster privileges that are more permissive than what is minimally required to operate Cilium. In affected releases, this service account had access to modify and delete Pod and Node resources.

Patches

The problem has been fixed and is available on versions >=1.9.16, >=1.10.11, >=1.11.5

Workarounds

There are no workarounds available.

Acknowledgements

The Cilium community has worked together with members of Isovalent, Amazon and Palo Alto Networks to prepare these mitigations. Special thanks to Micah Hausler (AWS), Robert Clark (AWS), Yuval Avrahami (Palo Alto Networks), and Shaul Ben Hai (Palo Alto Networks) for their cooperation.

For more information

If you have any questions or comments about this advisory:

Email us at security@cilium.io

(GitHub Advisory)

7.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29179

GHSA ID

GHSA-fmrf-gvjp-5j5g

EPSS Score

0.43947%

CWE

CWE-269

Published

5/24/2022

Updated

1/30/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cilium/cilium	go	>= 1.11.0, < 1.11.5	1.11.5
github.com/cilium/cilium	go	>= 1.10.0, < 1.10.11	1.10.11
github.com/cilium/cilium	go	< 1.9.16	1.9.16

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from excessive Kubernetes RBAC permissions in ClusterRole definitions, not from specific code functions. The patches show YAML manifest changes removing 'nodes' and 'pods' write permissions from Cilium's ClusterRoles. While the vulnerability could be exploited through Kubernetes API calls to modify Pod/Node resources, there are no Go source code changes in the provided patches that would indicate specific vulnerable functions in the Cilium codebase. The security fix was purely configuration-level (RBAC rules), not code logic changes. Runtime detection would focus on Kubernetes API audit logs rather than application-level function profiling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t I* *n *tt**k*r is **l* to p*r*orm * *ont*in*r *s**p* o* * *ont*in*r runnin* *s root on * *ost w**r* *ilium is inst*ll**, t** *tt**k*r **n l*v*r*** *ilium's Ku**rn*t*s s*rvi** ***ount to **in ****ss to *lust*r privil***s t**t *r* mor* p*rm

Reasoning

T** vuln*r**ility st*ms *rom *x**ssiv* Ku**rn*t*s R*** p*rmissions in *lust*rRol* ***initions, not *rom sp**i*i* *o** *un*tions. T** p*t***s s*ow Y*ML m*ni**st ***n**s r*movin* 'no**s' *n* 'po*s' writ* p*rmissions *rom *ilium's *lust*rRol*s. W*il* t*

7.6

Basic Information

Concerned about an active attack path?

CVE-2022-29179: Improper Privilege Management in Cilium

Impact

Patches

Workarounds

Acknowledgements

For more information

7.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI