Bug 2280218 (CVE-2024-31989)

Summary: CVE-2024-31989 argocd: Use of Risky or Missing Cryptographic Algorithms in Redis Cache
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anjoseph, jprabhak, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: argocd 2.8, argocd 2.9, argocd 2.10 Doc Type: ---
Doc Text:
A flaw was found in the ArgoCD Redis database server. This flaw allows an attacker with access to the Redis server to gain read/write access to the data in Redis. The attacker can also modify the "mfst" (manifest) key to cause ArgoCD to execute any deployment, potentially leveraging ArgoCD's high privileges to take over the cluster.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2280222    

Description Avinash Hanwate 2024-05-13 11:47:49 UTC 
By default, the Redis database server is not password-protected. Consequently, an attacker with access to the Redis server can gain read/write access to the data in Redis. The attacker can also modify the "mfst" (manifest) key to cause ArgoCD to execute any deployment, potentially leveraging ArgoCD's high privileges to take over the cluster. Updating the "cacheEntryHash" in the manifest JSON is necessary, but since it doesn't use a private key for signing its integrity, a simple script can generate a new FNV64a hash matching the new manifest values. The repo-server, unable to verify if its cache is compromised, will read the altered "mfst" key and initiate an update process for the injected deployment. 

It's also possible to edit the "app|resources-tree" key, causing the ArgoCD server to load any Kubernetes resource into the live manifest section of
the app preview. This could lead to an information leak. The fact that the cache in Redis is neither signed nor validated, combined with Redis's default lack of password protection, presents a significant security concern given ArgoCD's high-level permissions within the cluster. A security update should ensure all Redis database values are signed or encrypted.
Comment 2 subhro 2024-05-15 18:25:04 UTC 
Where is this coming from? There is no ASM or Service Now ticket attached to this flaw. Trying to find out if there is a time decided for the unembargo?
Comment 5 errata-xmlrpc 2024-05-28 08:21:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.10

Via RHSA-2024:3369 https://access.redhat.com/errata/RHSA-2024:3369
Comment 6 errata-xmlrpc 2024-05-28 08:22:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.12

Via RHSA-2024:3368 https://access.redhat.com/errata/RHSA-2024:3368
Comment 7 errata-xmlrpc 2024-05-29 17:45:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.11

Via RHSA-2024:3475 https://access.redhat.com/errata/RHSA-2024:3475