Bug 2233203 (CVE-2023-40029)

Summary: CVE-2023-40029 ArgoCD: secrets can be leak through kubectl.kubernetes.io/last-applied-configuration
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: ellin, security-response-team, shbose
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ArgoCD 2.8.1, ArgoCD 2.7.12, ArgoCD 2.6.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the ArgoCD package, used by Red Hat GitOps, that allows cluster secrets to be managed declaratively using the `kubectl apply` functionality, resulting in the full secret body being stored in `kubectl.kubernetes.io/last-applied-configuration` annotation. Since ArgoCD has included the ability to manage cluster labels and annotations via its API, an attacker can retrieve sensitive authentication information by leveraging this capability, imposing a high impact on data confidentiality and integrity for the targeted ArgoCD cluster. To perform a successful attack, the malicious actor should have `clusters, get` RBAC access granted to its user.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2233201    

Description Marco Benatto 2023-08-21 17:09:18 UTC 
Argo CD Cluster secrets might be managed declaratively using Argo CD/kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. https://github.com/argoproj/argo-cd/pull/7139 introduced the ability to
manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the `kubectl.kubernetes.io/last-applied-configuration`
annotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must have `clusters, get` RBAC
access.

*Note*: In many cases, cluster secrets do *not* contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be
very sensitive.
Comment 2 errata-xmlrpc 2023-09-08 13:01:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.9

Via RHSA-2023:5029 https://access.redhat.com/errata/RHSA-2023:5029
Comment 3 errata-xmlrpc 2023-09-08 13:11:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.8

Via RHSA-2023:5030 https://access.redhat.com/errata/RHSA-2023:5030
Comment 4 Marco Benatto 2023-10-02 21:35:51 UTC 
Although on most cases cluster secrets does not carry any sensitive information, on worst case scenarios when bearer-token authentication scenarios the secrete content may be very sensitive and grant the attacker privileged access to the ArgoCD cluster resulting on high impact for the CIA triad.