2233203 – (CVE-2023-40029) CVE-2023-40029 ArgoCD: secrets can be leak through kubectl.kubernetes.io/last-applied-configuration

Bug 2233203 (CVE-2023-40029) - CVE-2023-40029 ArgoCD: secrets can be leak through kubectl.kubernetes.io/last-applied-configuration

Summary: CVE-2023-40029 ArgoCD: secrets can be leak through kubectl.kubernetes.io/last...

Keywords:
Status:	NEW
Alias:	CVE-2023-40029
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2233201
TreeView+	depends on / blocked

Reported:	2023-08-21 17:09 UTC by Marco Benatto
Modified:	2023-10-02 21:37 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ArgoCD 2.8.1, ArgoCD 2.7.12, ArgoCD 2.6.14
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the ArgoCD package, used by Red Hat GitOps, that allows cluster secrets to be managed declaratively using the `kubectl apply` functionality, resulting in the full secret body being stored in `kubectl.kubernetes.io/last-applied-configuration` annotation. Since ArgoCD has included the ability to manage cluster labels and annotations via its API, an attacker can retrieve sensitive authentication information by leveraging this capability, imposing a high impact on data confidentiality and integrity for the targeted ArgoCD cluster. To perform a successful attack, the malicious actor should have `clusters, get` RBAC access granted to its user.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:5029	0	None	None	None	2023-09-08 13:01:09 UTC
Red Hat Product Errata	RHSA-2023:5030	0	None	None	None	2023-09-08 13:11:33 UTC

Description Marco Benatto 2023-08-21 17:09:18 UTC

Argo CD Cluster secrets might be managed declaratively using Argo CD/kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. https://github.com/argoproj/argo-cd/pull/7139 introduced the ability to
manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the `kubectl.kubernetes.io/last-applied-configuration`
annotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must have `clusters, get` RBAC
access.

*Note*: In many cases, cluster secrets do *not* contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be
very sensitive.

Comment 2 errata-xmlrpc 2023-09-08 13:01:07 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.9

Via RHSA-2023:5029 https://access.redhat.com/errata/RHSA-2023:5029

Comment 3 errata-xmlrpc 2023-09-08 13:11:32 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.8

Via RHSA-2023:5030 https://access.redhat.com/errata/RHSA-2023:5030

Comment 4 Marco Benatto 2023-10-02 21:35:51 UTC

Although on most cases cluster secrets does not carry any sensitive information, on worst case scenarios when bearer-token authentication scenarios the secrete content may be very sensitive and grant the attacker privileged access to the ArgoCD cluster resulting on high impact for the CIA triad.

Note You need to log in before you can comment on or make changes to this bug.