In September 2023, security researchers from KTrust reported three issues through the official Argo CD security disclosure channels in accordance with Argo CD security policy. In coordination with other Argo maintainers, we have issued security updates for both Argo CD and Codefresh GitOps (enterprise Argo). Below you can read more about these CVEs, their impact, and mitigation.
- Moderate: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow (CVE-2024- 21662)
- Moderate: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652)
- High: Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multithreaded Environment (CVE-2024-21661)
Impact
This set of CVEs revolves around making repeated attempts to log in to user accounts and triggering crashes to reset the attempt counter that normally prevents brute-force attacks. These CVEs impact unprotected Argo CD endpoints in all unpatched versions. A successful brute-force would result in unauthorized access to Argo CD user accounts and whatever permissions are available to those accounts. For Codefresh GitOps users, this would not include any access to the control plane or additional user data. Addtionally, Codefresh’s unique architecture would make attempts to execute these CVEs much more difficult for attackers.
Response and Mitigations
In coordination with Argo maintainers, Codefresh, RedHat, Intuit, and Akuity have worked together to resolve these CVEs and issue security updates. Argo CD supports security patches for the three most recent releases and updates are being made available to Argo CD 2.10, 2.9, and 2.8.
Codefresh GitOps users have already been notified of an available security update and can use Codefresh’s built-in tools to update all their instances.
Because of Codefresh’s unique architecture, most users do not have their Argo APIs publicly accessible or access the API via a proxy that provides an additional level of security and protection. However, Codefresh customers should update their instances as soon as possible.
Updating to the latest version will resolve these three CVEs. If you are unable to update to the latest version or are looking for further protection, we recommend removing the default admin user, closing public API access, or adding an ingress proxy that can provide additional brute force protections like those available already in the Codefresh control plane.
Acknowledgments and Call for Continued Contributions
We would like to thank KTrust for reporting these issues and working with Argo maintainers. As many already know, the Argo Project partners with HackerOne and the CNCF to offer bug bounties and cash payouts for vulnerability reports and work with maintainers to resolve them. This not only provides funds to security researchers, but HackerOne also sends a cut to open source projects to help fund their efforts. You can learn more about the bug bounty here.
Thank you again to our fellow Argo maintainers for working together to coordinate this release.
