Argo CD is a popular open-source continuous delivery (CD) platform that is used by thousands of organizations globally. Recently, a serious vulnerability was uncovered by Apiiro which enables attackers to access sensitive information, such as secrets, passwords, and API keys.
Important note: Rafay’s integrated GitOps service is not based on ArgoCD and is therefore not vulnerable to this issue. In addition, our security team at Rafay has already tested and assessed that Rafay’s integrated GitOps Service is not affected by this method of malicious helm charts.
When malicious actors load specifically configured Kubernetes Helm Charts, they could gain access to sensitive information through ArgoCD. The team behind ArgoCD quickly provided a patch that we strongly suggest is applied ASAP as the vulnerability affects all versions of the tool. The patch is available via ArgoCD’s GitHub repository.
We urge everyone to apply this patch for their ArgoCD deployments right away.
In terms of the impact of this vulnerability, Apiiro has determined the following (so far). Note that the following information was from Apiiro’s site at the time of the announcement (and may be subject to change). Please refer to Apiiro’s website for the latest information:
- there are the direct implications of contents read from other files present on the reposerver, which can contain sensitive information. This by itself can impact an organization.
- because application files usually contain an assortment of transitive values of secrets, tokens, and environmental sensitive settings – this can effectively be used by the attacker to further expand their campaign by moving laterally through different services and escalating their privileges to gain more ground on the system and target organization’s resources.
The risk was given a severity rating of high given that the malicious helm chart can potentially expose sensitive information stored on a git repository and also “roam” through applications allowing attackers to read secrets, tokens, and sensitive data that reside within the applications.
Again, Rafay urges everyone to apply this patch for their ArgoCD deployments right away.