Security Bulletins

Fixes available for vulnerability in VXLAN and IPIP overlay modes

Return to List

Description Severity Notes

Fixes available for vulnerability in VXLAN and IPIP overlay modes

Reference: TTA-2019-002
Date published: 2019-July-1



Clusters using VXLAN or IPIP overlays are vulnerable to malicious cluster users being able to potentially violate network policies or spoof their IP addresses. Upgrade to latest Calico or Tigera Secure releases to close this vulnerability.



Affects clusters that use VXLAN or IPIP overlays, including Calico, Tigera Secure, and Canal (Calico policy on Flannel). Clusters which use neither of these, or use Calico policy in conjunction with a cloud-provider CNI (e.g. aws-vpc-cni) are not affected.

Allows a malicious cluster user with permission to create pods to potentially bypass Egress policies assigned to their pod (workload endpoint), or potentially spoof IP addresses and make it look like sent packets are from some other pod (workload endpoint). This could potentially allow a malicious user to bypass Ingress policy and send unauthorized packets to other pods (workload endpoints) in the cluster.

Furthermore in IPIP mode, the vulnerability might allow an attacker to prevent other workloads in the cluster from communicating, or redirect traffic intended to other workloads to itself.

Affected Releases


  • 3.7.3 and older
  • 3.6.3 and older
  • 3.5.6 and older
  • 3.4.x
  • 3.3.x
  • 3.2.x
  • 3.1.x
  • 3.0.x
  • 2.x
  • 1.x

Calico for Windows

  • 3.7.0

Tigera Secure Enterprise Edition

  • 2.4.1 and older
  • 2.3.2 and older
  • 2.2.x
  • 2.1.x
  • 2.0.x
  • 1.x

Tigera Secure Cloud Edition: not affected

Indicators of Impact/Compromise

In VXLAN mode:
Conntrack entries or flow logs from a pod IP to a node IP on UDP port 4789.

In IPIP mode:
Contrack entries or flow logs from a pod IP to a node IP using protocol 4 (IPIP).

Workaround / Remediation

In order to exploit the vulnerability, a malicious pod must transmit packets to node IP addresses. You can prevent this by using an Egress policy. Do this if you cannot upgrade immediately to a fixed version.

If you are using VXLAN, deny egress to destination UDP port 4789.

If you are using IPIP, deny egress on protocol 4, which is IPIP encapsulation.

Note that if you apply an egress policy to pods, this sets the default action to deny, so be sure to whitelist any legitimate traffic from your applications. In Tigera Secure Enterprise Edition, you can use a high-order tier to deny problematic traffic without affecting the default action in lower-order tiers (e.g. the default tier).

Fixed Software


  • 3.8.0 (Available on July 2, 2019)
  • 3.7.4
  • 3.6.4
  • 3.5.7

Tigera Secure Enterprise Edition

  • 2.4.2
  • 2.3.3

Return to List