github.com/argoproj/argo-cd@v1.8.7/docs/security_considerations.md

github.com/argoproj/argo-cd@v1.8.7/docs/security_considerations.md (about)

     1  # Security Considerations
     2  
     3  !!!warning "Deprecation notice"
     4      This page is now deprecated and serves as an archive only. For up-to-date
     5      information, please have a look at our
     6      [security policy](https://github.com/argoproj/argo-cd/security/policy) and
     7      [published security advisories](https://github.com/argoproj/argo-cd/security/advisories).
     8  
     9  As a deployment tool, Argo CD needs to have production access which makes security a very important topic.
    10  The Argoproj team takes security very seriously and continuously working on improving it. Learn more about security
    11  related features in [Security](./operator-manual/security.md) section.
    12  
    13  ## Overview of past and current issues
    14  
    15  The following table gives a general overview about past and present issues known
    16  to the ArgoCD project. See in the [Known Issues](#known-issues-and-workarounds)
    17  section if there is a work-around available if you cannot update or if there is
    18  no fix yet.
    19  
    20  |Date|CVE|Title|Risk|Affected version(s)|Fix version|
    21  |----|---|-----|----|-------------------|-----------|
    22  |2020-06-16|[CVE-2020-1747](https://nvd.nist.gov/vuln/detail/CVE-2020-1747)|PyYAML library susceptible to arbitrary code execution|High|all|v1.5.8|
    23  |2020-04-14|[CVE-2020-5260](https://nvd.nist.gov/vuln/detail/CVE-2020-5260)|Possible Git credential leak|High|all|v1.4.3,v1.5.2|
    24  |2020-04-08|[CVE-2020-11576](https://nvd.nist.gov/vuln/detail/CVE-2020-11576)|User Enumeration|Medium|v1.5.0|v1.5.1|
    25  |2020-04-08|[CVE-2020-8826](https://nvd.nist.gov/vuln/detail/CVE-2020-8826)|Session-fixation|High|all|n/a|
    26  |2020-04-08|[CVE-2020-8827](https://nvd.nist.gov/vuln/detail/CVE-2020-8827)|Insufficient anti-automation/anti-brute force|High|all <= 1.5.3|v1.5.3|
    27  |2020-04-08|[CVE-2020-8828](https://nvd.nist.gov/vuln/detail/CVE-2020-8828)|Insecure default administrative password|High|all|n/a|
    28  |2020-04-08|[CVE-2018-21034](https://nvd.nist.gov/vuln/detail/CVE-2018-21034)|Sensitive Information Disclosure|Medium|all <= v1.5.0|v1.5.0|
    29  
    30  ## Known Issues And Workarounds
    31  
    32  A recent security audit (thanks a lot to [Matt Hamilton](https://github.com/Eriner) of [https://soluble.ai](https://soluble.ai) )
    33  has revealed several limitations in Argo CD which could compromise security.
    34  Most of the issues are related to the built-in user management implementation.
    35  
    36  ### CVE-2020-1747 - PyYAML library susceptible to arbitrary code execution
    37  
    38  **Summary:**
    39  
    40  |Risk|Reported by|Fix version|Workaround|
    41  |----|-----------|-----------|----------|
    42  |High|[infa-kparida](https://github.com/infa-kparida)|v1.5.8|No|
    43  
    44  **Details:**
    45  
    46  PyYAML library susceptible to arbitrary code execution when it processes untrusted YAML files.
    47  We do not believe ArgoCD is affected by this vulnerability, because the impact of CVE-2020-1747 is limited to usage of awscli.
    48  The `awscli` only used for AWS IAM authentication, and the endpoint is the AWS API.
    49  
    50  ### CVE-2020-5260 - Possible Git credential leak
    51  
    52  **Summary:**
    53  
    54  |Risk|Reported by|Fix version|Workaround|
    55  |----|-----------|-----------|----------|
    56  |Critical|Felix Wilhelm of Google Project Zero|v1.4.3,v1.5.2|Yes|
    57  
    58  **Details:**
    59  
    60  ArgoCD relies on Git for many of its operations. The Git project released a
    61  [security advisory](https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q)
    62  on 2020-04-14, describing a serious vulnerability in Git which can lead to credential
    63  leakage through credential helpers by feeding malicious URLs to the `git clone`
    64  operation.
    65  
    66  We do not believe ArgoCD is affected by this vulnerability, because ArgoCD does neither
    67  make use of Git credential helpers nor does it use `git clone` for repository operations.
    68  However, we do not know whether our users might have configured Git credential helpers on
    69  their own and chose to release new images which contain the bug fix for Git.
    70  
    71  **Mitigation and/or workaround:**
    72  
    73  We strongly recommend to upgrade your ArgoCD installation to either `v1.4.3` (if on v1.4
    74  branch) or `v1.5.2` (if on v1.5 branch) 
    75  
    76  
    77  When you are running `v1.4.x`, you can upgrade to `v1.4.3` by simply changing the image
    78  tags for `argocd-server`, `argocd-repo-server` and `argocd-controller` to `v1.4.3`. 
    79  The `v1.4.3` release does not contain additional functional bug fixes.
    80  
    81  Likewise, hen you are running `v1.5.x`, you can upgrade to `v1.5.2` by simply changing
    82  the image tags for `argocd-server`, `argocd-repo-server` and `argocd-controller` to `v1.5.2`.
    83  The `v1.5.2` release does not contain additional functional bug fixes.
    84  
    85  ### CVE-2020-11576 - User Enumeration
    86  
    87  **Summary:**
    88  
    89  |Risk|Reported by|Fix version|Workaround|
    90  |----|-----------|-----------|----------|
    91  |Medium|[Matt Hamilton](https://github.com/Eriner) of [https://soluble.ai](https://soluble.ai)|v1.5.1|Yes|
    92  
    93  **Details:**
    94  
    95  Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts within Argo.
    96  
    97  **Mitigation and/or workaround:**
    98  
    99  Upgrade to ArgoCD v1.5.1 or higher. As a workaround, disable local users and use only SSO authentication.
   100  
   101  ### CVE-2020-8828 - Insecure default administrative password
   102  
   103  **Summary:**
   104  
   105  |Risk|Reported by|Fix version|Workaround|
   106  |----|-----------|-----------|----------|
   107  |High|[Matt Hamilton](https://github.com/Eriner) of [https://soluble.ai](https://soluble.ai)|n/a|Yes|
   108  
   109  **Details:**
   110  
   111  Argo CD uses the `argocd-server` pod name (ex: `argocd-server-55594fbdb9-ptsf5`) as the default admin password.
   112  
   113  Kubernetes users able to list pods in the argo namespace are able to retrieve the default password.
   114  
   115  Additionally, In most installations, [the Pod name contains a random "trail" of characters](https://github.com/kubernetes/kubernetes/blob/dda530cfb74b157f1d17b97818aa128a9db8e711/staging/src/k8s.io/apiserver/pkg/storage/names/generate.go#L37).
   116  These characters are generated using [a time-seeded PRNG](https://github.com/kubernetes/apimachinery/blob/master/pkg/util/rand/rand.go#L26) and not a CSPRNG.
   117  An attacker could use this information in an attempt to deduce the state of the internal PRNG, aiding bruteforce attacks.
   118  
   119  **Mitigation and/or workaround:**
   120  
   121  The recommended mitigation as described in the user documentation is to use SSO integration. The default admin password
   122  should only be used for initial configuration and then [disabled](https://argoproj.github.io/argo-cd/operator-manual/user-management/#disable-admin-user)
   123  or at least changed to a more secure password.
   124  
   125  ### CVE-2020-8827 - Insufficient anti-automation/anti-brute force
   126  
   127  **Summary:**
   128  
   129  |Risk|Reported by|Fix version|Workaround|
   130  |----|-----------|-----------|----------|
   131  |High|[Matt Hamilton](https://github.com/Eriner) of [https://soluble.ai](https://soluble.ai)|n/a|Yes|
   132  
   133  **Details:**
   134  
   135  ArgoCD before v1.5.3 does not enforce rate-limiting or other anti-automation mechanisms which would mitigate admin password brute force.
   136  
   137  **Mitigation and/or workaround:**
   138  
   139  Rate-limiting and anti-automation mechanisms for local user accounts have been introduced with ArgoCD v1.5.3.
   140  
   141  As a workaround for mitigation if you cannot upgrade ArgoCD to v1.5.3 yet, we recommend to disable local users and use SSO instead.
   142  
   143  ### CVE-2020-8826 - Session-fixation
   144  
   145  **Summary:**
   146  
   147  |Risk|Reported by|Fix version|Workaround|
   148  |----|-----------|-----------|----------|
   149  |High|[Matt Hamilton](https://github.com/Eriner) of [https://soluble.ai](https://soluble.ai)|n/a|Yes|
   150  
   151  **Details:**
   152  
   153  The authentication tokens generated for built-in users have no expiry.
   154  
   155  These issues might be acceptable in the controlled isolated environment but not acceptable if Argo CD user interface is
   156  exposed to the Internet.
   157  
   158  **Mitigation and/or workaround:**
   159  
   160  The recommended mitigation is to change the password periodically to invalidate the authentication tokens.
   161  
   162  ### CVE-2018-21034 - Sensitive Information Disclosure
   163  
   164  **Summary:**
   165  
   166  |Risk|Reported by|Fix version|Workaround|
   167  |----|-----------|-----------|----------|
   168  |Medium|[Matt Hamilton](https://github.com/Eriner) of [https://soluble.ai](https://soluble.ai)|v1.5.0|No|
   169  
   170  **Details:**
   171  
   172  In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.
   173  
   174  **Mitigation and/or workaround:**
   175  
   176  Upgrade to ArgoCD v1.5.0 or higher. No workaround available
   177  
   178  ## Reporting Vulnerabilities
   179  
   180  Please have a look at our
   181  [security policy](https://github.com/argoproj/argo-cd/security/policy)
   182  for more details on how to report security vulnerabilities for Argo CD.