CVE-2023-29002 - Sensitive Secret Leaks in Cilium Debug Logs — What Happened and How to Protect Your Cluster

In March 2023, a significant vulnerability was disclosed and tracked as CVE-2023-29002, affecting the popular cloud native project Cilium. Cilium is widely adopted for scalable networking, observability, and security in Kubernetes-based environments, using advanced eBPF technology.

This long read explains how the vulnerability works, who it affects, and how you can protect your cluster — using clear, actionable steps and code snippets.

What Is Cilium?

Cilium provides networking, security, and observability for Kubernetes by replacing traditional Linux iptables with eBPF (extended Berkeley Packet Filter). It’s valued for its speed and deep awareness of Kubernetes APIs.

The Core Problem

When Cilium is run in debug mode, it logs detailed data for troubleshooting. However, with this bug, it *accidentally includes the entire content* of Kubernetes secrets from the cilium-secrets namespace inside debug logs.

Why is this bad?
This namespace can hold sensitive data, like *TLS private keys* for Ingress or GatewayAPI resources. Leaking these could allow attackers to:

A new Ingress or GatewayAPI resource is created

If your troubleshooting logs are not well-guarded, this increases exposure.

A typical Cilium debug log, when this bug is triggered, might look something like this

level=debug msg="Stored secret" secretName=example-tls secretNamespace=cilium-secrets data="{
  \"tls.crt\": \"MIIBIjANBgkqh...skipped...AQAB\",
  \"tls.key\": \"MIIEvAIBADANBgk...skipped...GCSqGSIb3DQEBAQUAA4IB...ENDKEY...\"
}"

*Notice:* *The entire TLS private key is inside tls.key in the log.*

How Could an Attacker Exploit This?

- Step 1: Attacker gains read access to Cilium debug logs (through log aggregation, file access, or sloppy permissions).

Step 3: Use the key to decrypt or spoof secure application traffic.

*Even if debug logs are “secured”, consider scenarios like temporary log streaming for customer support, developer troubleshooting, or misconfigured log volume mounts.*

Cilium 1.13.2

Reference:
- Cilium CVE-2023-29002 GitHub Security Advisory
- CVE Database entry for CVE-2023-29002

Can’t Upgrade Yet? Here’s What To Do

If your cluster upgrade is delayed, immediately disable debug mode.

Audit access to your logging backend.

- Review cluster-wide RBAC permissions for “get pods/logs”.

Conclusion

CVE-2023-29002 is a clear demonstration of how verbose logging can become a data breach vector — especially in security-focused, cloud-native software like Cilium. Make sure you’re running a patched release, avoid enabling debug logging in production, and treat access to log data as sensitive, just like your secrets.

References

- Official Advisory: github.com/cilium/cilium/security/advisories/GHSA-frxw-4fpq-mqp6
- CVE record: nvd.nist.gov/vuln/detail/CVE-2023-29002
- Cilium project: cilium.io


> Stay secure. Keep eBPF-powered networking locked down — and double-check what your logs really expose.

Timeline

Published on: 04/18/2023 22:15:00 UTC
Last modified on: 05/04/2023 13:01:00 UTC