CVE-2023-40029: Argo CD Cluster Secrets Exposure Vulnerability and Patch

Argo CD is a popular open-source tool for declarative continuous deployment in Kubernetes environments. It helps DevOps teams automate application deployments by tracking changes in Git repositories and applying the desired state to the Kubernetes clusters. However, a recent vulnerability (CVE-2023-40029) has been discovered that could lead to exposure of sensitive information in Argo CD cluster secrets.

Vulnerability Details

The Argo CD vulnerability is found in the way it manages cluster secrets declaratively using Argo CD or kubectl apply. The full secret body gets stored in the kubectl.kubernetes.io/last-applied-configuration annotation. This is because of the pull request #7139 that introduced a feature to manage cluster labels and annotations. As clusters are stored as secrets, this exposes the kubectl.kubernetes.io/last-applied-configuration annotation, which contains the full secret body.

To view these cluster annotations via the Argo CD API, users must have clusters, get RBAC access. It's important to note that cluster secrets often do not contain sensitive information. However, in cases where bearer-token authentication is used, the contents could be highly sensitive and should not be exposed.

Affected Versions and Patch

Argo CD developers have been quick to address this vulnerability and have released patches for versions 2.8.3, 2.7.14, and 2.6.15. Users are strongly advised to upgrade their installations to these patched versions.

For those who cannot upgrade immediately, there is a workaround available. Users should update or deploy their cluster secrets using the server-side-apply flag. This flag does not rely on or use the kubectl.kubernetes.io/last-applied-configuration annotation. However, note that this workaround requires manual removal of the annotation for existing secrets.

helm repo update

helm upgrade argo-cd argo/argo-cd --version

Using kubectl

kubectl apply -n-f https://raw.githubusercontent.com/argoproj/argo-cd//manifests/install.yaml

`

3. Manually remove the kubectl.kubernetes.io/last-applied-configuration annotation from existing secrets:

`

For more information on this vulnerability, refer to the Argo CD GitHub Issue and the Argo CD Pull Request #7139.

Conclusion

Keeping your Argo CD installation up to date is crucial to ensure the security of your continuous deployment environment. Make sure to apply the patch for CVE-2023-40029 to protect your cluster secrets from unauthorized access. Stay vigilant and follow best practices for securing your Kubernetes infrastructure.

Timeline

Published on: 09/07/2023 23:15:00 UTC
Last modified on: 09/13/2023 14:49:00 UTC