Security Bulletins

Calico Enterprise & Calico OS are vulnerable to pod route hijacking

Return to List
Description Severity Notes

Calico Enterprise & Calico OS are vulnerable to pod route hijacking

Reference: TTA-2022-001

Date published: 2022-June-1

Medium N/A



Customers running Calico Enterprise and Calico OS are vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker is able to set a floating IP annotation to a pod even if the feature is not enabled. This allows the attacker to intercept and reroute traffic to their compromised pod.

CVE-2022-28224 has been assigned to this vulnerability.




The validation on using floating IP can be bypassed by annotating the pod directly after pod creation. The routing will be reverted when the annotated pod is destroyed or the annotation is removed. This vulnerability requires the Kubernetes RBAC permission of [“patch”, “pods”] to annotate pods.


Affected Releases

  • Calico Enterprise v3.12 and below
  • Calico OS v3.22 and below


Indicators of Impact/Compromise

Review running pods and identify if floating IP annotations are present.


Workaround / Remediation

Review Kubernetes RBAC and review access to [“patch”, “pods”].


Fixed Software

  • Calico Enterprise
    • V3.13.0 and above
    • v3.12.1
    • v3.11.4
  • Calico OS
    • V3.22.2 and above
    • v3.21.5
    • v.3.20.5



We would like to acknowledge Aloys Augustin from Cisco for reporting this issue.

Return to List