Bug 2280218 (CVE-2024-31989) - CVE-2024-31989 argocd: Use of Risky or Missing Cryptographic Algorithms in Redis Cache
Summary: CVE-2024-31989 argocd: Use of Risky or Missing Cryptographic Algorithms in Re...
Keywords:
Status: NEW
Alias: CVE-2024-31989
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2280222
TreeView+ depends on / blocked
 
Reported: 2024-05-13 11:47 UTC by Avinash Hanwate
Modified: 2024-06-08 08:28 UTC (History)
5 users (show)

Fixed In Version: argocd 2.8, argocd 2.9, argocd 2.10
Doc Type: ---
Doc Text:
A flaw was found in the ArgoCD Redis database server. This flaw allows an attacker with access to the Redis server to gain read/write access to the data in Redis. The attacker can also modify the "mfst" (manifest) key to cause ArgoCD to execute any deployment, potentially leveraging ArgoCD's high privileges to take over the cluster.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:3368 0 None None None 2024-05-28 08:22:47 UTC
Red Hat Product Errata RHSA-2024:3369 0 None None None 2024-05-28 08:21:49 UTC
Red Hat Product Errata RHSA-2024:3475 0 None None None 2024-05-29 17:45:38 UTC

Description Avinash Hanwate 2024-05-13 11:47:49 UTC
By default, the Redis database server is not password-protected. Consequently, an attacker with access to the Redis server can gain read/write access to the data in Redis. The attacker can also modify the "mfst" (manifest) key to cause ArgoCD to execute any deployment, potentially leveraging ArgoCD's high privileges to take over the cluster. Updating the "cacheEntryHash" in the manifest JSON is necessary, but since it doesn't use a private key for signing its integrity, a simple script can generate a new FNV64a hash matching the new manifest values. The repo-server, unable to verify if its cache is compromised, will read the altered "mfst" key and initiate an update process for the injected deployment. 

It's also possible to edit the "app|resources-tree" key, causing the ArgoCD server to load any Kubernetes resource into the live manifest section of
the app preview. This could lead to an information leak. The fact that the cache in Redis is neither signed nor validated, combined with Redis's default lack of password protection, presents a significant security concern given ArgoCD's high-level permissions within the cluster. A security update should ensure all Redis database values are signed or encrypted.

Comment 2 subhro 2024-05-15 18:25:04 UTC
Where is this coming from? There is no ASM or Service Now ticket attached to this flaw. Trying to find out if there is a time decided for the unembargo?

Comment 5 errata-xmlrpc 2024-05-28 08:21:48 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.10

Via RHSA-2024:3369 https://access.redhat.com/errata/RHSA-2024:3369

Comment 6 errata-xmlrpc 2024-05-28 08:22:46 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.12

Via RHSA-2024:3368 https://access.redhat.com/errata/RHSA-2024:3368

Comment 7 errata-xmlrpc 2024-05-29 17:45:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.11

Via RHSA-2024:3475 https://access.redhat.com/errata/RHSA-2024:3475


Note You need to log in before you can comment on or make changes to this bug.