3 critical vulnerabilities in Argo CD allow complete take over of your applications and servers

Argo CD is a declarative GitOps continuous delivery tool for Kubernetes. It is required because Application definitions, configurations, and environments should be declarative and version controlled. Also it helps when Application deployment and lifecycle management should be automated, auditable, and easy to understand. This Argo Cd security team has published details of 4 vulnerabilities. Following are the details

1) Deserialization of Untrusted Data

CVE-ID: CVE-2022-28948

CVSSv3.1: 7.7 

The vulnerability allows a remote threat actor to perform a denial of service attack. The vulnerability exists due to insecure input validation when processing serialized data in the Unmarshal function. A threat actor could remotely  pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from the github website.

Vulnerable versions of Argo-CD

Argo CD: 2.2.0 – 2.2.11, 2.3.0 – 2.3.6, 2.4.0 – 2.4.7

2) Use-after-free

CVE-ID: CVE-2022-30065

CVSSv3.1: 7.7

The vulnerability allows a remote threat actor to take control of the vulnerable application.The vulnerability exists due to a use-after-free error when processing a crafted awk pattern in the copyvar function. A threat actor to execute arbitrary code remotely on the application server.

Mitigation

Install updates from the github website.

Vulnerable versions of Argo-CD

Argo CD: 2.2.0 – 2.2.11, 2.3.0 – 2.3.6, 2.4.0 – 2.4.7

3) Missing Encryption of Sensitive Data

CVE-ID: CVE-2022-2097

CVSSv3.1: 3.2 

The vulnerability allows a threat actor to steal confidential data remotely. The vulnerability exists due to an error in AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation. Under specific circumstances OpenSSL does not encrypt the entire message and can reveal sixteen bytes of data that was preexisting in the memory that wasn’t written.

Mitigation

Install updates from the github website.

Vulnerable  versions of Argo-CD

Argo CD: 2.2.0 – 2.2.11, 2.3.0 – 2.3.6, 2.4.0 – 2.4.7

4) Type Confusion

CVE-ID: CVE-2021-23820

CVSSv3.1: 8.5 

The vulnerability allows a threat actor to execute arbitrary code remotely on the argo-cd application server. The vulnerability exists due to a type confusion error. A threat actor can remotely pass specially crafted data to the application, trigger a type confusion error and execute arbitrary code on the application server.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from the github website.

Vulnerable versions of Argo-CD

Argo CD: 2.2.0 – 2.2.11