Argo CD - v2.4.13

Security

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.13/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.13/manifests/ha/install.yaml

Security fixes

CVE-2022-39222 is a backchannel attack against the Dex OIDC provider. If you are impacted Argo CD, an attacker could use the process described in the vulnerability description to steal an Argo CD token from some Argo CD user. The attacker could then impersonate the targeted user and act with the victim's privileges.

Am I impacted?

This Dex vulnerability impacts Argo CD users who either 1) use the bundled Dex instance for OIDC or 2) use an external Dex instance running Dex <= 2.34.x.

If you do not use Dex, then you are not impacted.

Bundled Dex

To determine if you use the bundled Dex instance, run this command, replacing argocd with the namespace where your Argo CD instance is installed:

kubectl get cm -n argocd argocd-cm -ojson | jq '.data["dex.config"] != null'

If that command prints true, then you use the bundled Dex instance, and you should upgrade.

External Dex

To determine if you use an external Dex instance, run this command:

kubectl get cm -n argocd argocd-cm -ojson | jq '.data["oidc.config"]'

That will print your Argo CD instance's OIDC config. It might be obvious whether the OIDC provider is Dex (for example, the word dex might be in the URL). Or you might have to contact whoever manages the configured OIDC provider to ask.

You will also have to check with whoever manages the Dex instance to determine if it is still running a vulnerable version (<= 2.34.x).

How can I resolve the vulnerability as a user of the bundled Dex instance?

Upgrading Dex is the only way to resolve the vulnerability.

If you're using the manifests from the argo-cd repository to install Argo CD, the easiest way to resolve the vulnerability is to use the latest release's manifests, which point to the Dex 2.35.0 image. If you do not want to upgrade the full manifest, then you can manually change the Dex image tags in your deployed manifests to use a >= 2.35.0 tag.

If you're using the argo-helm argo-cd chart, you can either wait for a new chart release which points to the new Dex version, or you can set the dex.image.tag parameter to a >= 2.35.0 tag.

To confirm that you are using a patched version of Dex, use this command (replacing argocd with the namespace where your Argo CD instance is deployed):

kubectl get deployment -n argocd argocd-dex-server -ojson | jq '.spec.template.spec.containers[0].image'

The image tag should point to a Dex version >= 2.35.0.

Bug fixes

  • fix: fix subscription health check (#10450)
  • fix: Fix a nil pointer crash for repo server (#10696)

Other changes

  • docs: add note about multiple sync options on annotation (#10739)
  • docs: fix broken links in faq.md (#10744)
  • chore: upgrade Dex to 2.35.0 (#10775)
  • docs: syncWindows in project.yaml (#10591)
  • docs: Update Generators-Pull-Request.md (#10643) (#10642)
  • docs: fix typo in GitHub section (#10723)
  • chore: upgrade dex to v2.32.1-distroless (#10746)

Details

date
Oct. 3, 2022, 9:38 p.m.
name
v2.4.13
type
Patch
official page
https://github.com/argoproj/argo-cd/releases/tag/v2.4.13
👇
Register or login to:
  • 🔍View and search all Argo CD releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or