This issue has been reported by the CVE assignee, and has been assigned the following CVE ID: CVE-2018-7511. Argo CD versions 2.4.5, 2.3.6, and 2.2.11 prior to 2.2.11 and 2.3.6 are vulnerable to a remote code execution bug. By sending specially crafted HTTP traffic to an Argo CD instance, a malicious actor could exploit a bug to execute arbitrary code on the host. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external HTTP load balancer (such as Akeneo), can mitigate the issue by setting the `lb.config.enabledDNS` field in the `argocd-cm` ConfigMap. This mitigation only changes the behaviour of the load balancer such that it does not return malicious traffic when it is configured to do so. It does not force load balancers to behave in any particular way, and they can still return malicious traffic when configured to do so.
Summary
Argo CD versions 2.4.5, 2.3.6, and 2.2.11 prior to 2.2.11 and 2.3.6 are vulnerable to a remote code execution bug which can be exploited by sending specially crafted HTTP traffic to an Argo CD instance. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11; however it is only available as part of the Argo installer package and not available as a separate download or via the normal Argo CLI deployment methods.
CVE-2018-7510
This issue has been reported to the CVE assignee, and has been assigned the following CVE ID: CVE-2018-7510. Argo CD versions 2.4.5, 2.3.6, and 2.2.11 prior to 2.2.11 and 2.3.6 are vulnerable to a remote code execution bug in the `argocd-cm` component of Argo CD that may lead to arbitrary code execution on the host running Argo CD if specially crafted HTTP traffic is sent to an Argo CD instance by an attacker who knows the hostname of that instance's load balancer (such as Akeneo). A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11 and there are no complete workarounds available for this issue, but a partial workaround is available for those using an external HTTP load balancer (such as Akeneo). Those who use an external HTTP load balancer (such as Akeneo) can mitigate this issue by setting the `lb.config.enabledDNS` field in the `argocd-cm` ConfigMap from `true` to `false`. This mitigation only changes the behaviour of the load balancer such that it does not return malicious traffic when it is configured to do so; however, it does not enforce load balancers to behave in any particular way or prevent them from returning malicious
Overview of the vulnerability
How to update to Argo CD version 2.4.5
Update Argo CD to 2.4.5 using the following steps:
1) Update `s3c` to version `2.4.5` in your configuration file (`/etc/argocd-cm/s3c.conf`).
2) Stop and start the Argo CD instance.
3) Update the `lb.config.enabledDNS` field in your ConfigMap with a non-malicious DNS server if you are using an external HTTP load balancer, such as Akeneo, to mitigate this vulnerability but also avoid other attack vectors.
Timeline
Published on: 07/12/2022 22:15:00 UTC
Last modified on: 07/20/2022 15:45:00 UTC