Argo CD is a declarative GitOps continuous delivery tool for Kubernetes. It is required because Application definitions, configurations, and environments should be declarative and version controlled. Also it helps when Application deployment and lifecycle management should be automated, auditable, and easy to understand. This Argo Cd security team has published details of 4 vulnerabilities. Following are the details
1) Deserialization of Untrusted Data
CVE-ID: CVE-2022-28948
CVSSv3.1: 7.7
The vulnerability allows a remote threat actor to perform a denial of service attack. The vulnerability exists due to insecure input validation when processing serialized data in the Unmarshal function. A threat actor could remotely pass specially crafted data to the application and perform a denial of service (DoS) attack.
Mitigation
Install updates from the github website.
Vulnerable versions of Argo-CD
Argo CD: 2.2.0 – 2.2.11, 2.3.0 – 2.3.6, 2.4.0 – 2.4.7
2) Use-after-free
CVE-ID: CVE-2022-30065
CVSSv3.1: 7.7
The vulnerability allows a remote threat actor to take control of the vulnerable application.The vulnerability exists due to a use-after-free error when processing a crafted awk pattern in the copyvar function. A threat actor to execute arbitrary code remotely on the application server.
Mitigation
Install updates from the github website.
Vulnerable versions of Argo-CD
Argo CD: 2.2.0 – 2.2.11, 2.3.0 – 2.3.6, 2.4.0 – 2.4.7
3) Missing Encryption of Sensitive Data
CVE-ID: CVE-2022-2097
CVSSv3.1: 3.2
The vulnerability allows a threat actor to steal confidential data remotely. The vulnerability exists due to an error in AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation. Under specific circumstances OpenSSL does not encrypt the entire message and can reveal sixteen bytes of data that was preexisting in the memory that wasn’t written.
Mitigation
Install updates from the github website.
Vulnerable versions of Argo-CD
Argo CD: 2.2.0 – 2.2.11, 2.3.0 – 2.3.6, 2.4.0 – 2.4.7
4) Type Confusion
CVE-ID: CVE-2021-23820
CVSSv3.1: 8.5
The vulnerability allows a threat actor to execute arbitrary code remotely on the argo-cd application server. The vulnerability exists due to a type confusion error. A threat actor can remotely pass specially crafted data to the application, trigger a type confusion error and execute arbitrary code on the application server.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Mitigation
Install updates from the github website.
Vulnerable versions of Argo-CD
Argo CD: 2.2.0 – 2.2.11
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.