Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, its possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCDs helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12.
The product does not properly control the allocation and maintenance of a limited resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Argo_cd | Argoproj | 2.4.0 (including) | 2.8.14 (excluding) |
| Argo_cd | Argoproj | 2.9.0 (including) | 2.9.10 (excluding) |
| Argo_cd | Argoproj | 2.10.0 (including) | 2.10.5 (excluding) |
| Red Hat OpenShift GitOps 1.10 | RedHat | openshift-gitops-1/argocd-rhel8:v1.10.4-1 | * |
| Red Hat OpenShift GitOps 1.10 | RedHat | openshift-gitops-1/argo-rollouts-rhel8:v1.10.4-1 | * |
| Red Hat OpenShift GitOps 1.10 | RedHat | openshift-gitops-1/console-plugin-rhel8:v1.10.4-1 | * |
| Red Hat OpenShift GitOps 1.10 | RedHat | openshift-gitops-1/dex-rhel8:v1.10.4-1 | * |
| Red Hat OpenShift GitOps 1.10 | RedHat | openshift-gitops-1/gitops-operator-bundle:v1.10.4-1 | * |
| Red Hat OpenShift GitOps 1.10 | RedHat | openshift-gitops-1/gitops-rhel8:v1.10.4-1 | * |
| Red Hat OpenShift GitOps 1.10 | RedHat | openshift-gitops-1/gitops-rhel8-operator:v1.10.4-1 | * |
| Red Hat OpenShift GitOps 1.10 | RedHat | openshift-gitops-1/kam-delivery-rhel8:v1.10.4-1 | * |
| Red Hat OpenShift GitOps 1.10 | RedHat | openshift-gitops-1/must-gather-rhel8:v1.10.4-1 | * |
| Red Hat OpenShift GitOps 1.11 | RedHat | openshift-gitops-1/argocd-rhel8:v1.11.3-2 | * |
| Red Hat OpenShift GitOps 1.11 | RedHat | openshift-gitops-1/argo-rollouts-rhel8:v1.11.3-2 | * |
| Red Hat OpenShift GitOps 1.11 | RedHat | openshift-gitops-1/console-plugin-rhel8:v1.11.3-2 | * |
| Red Hat OpenShift GitOps 1.11 | RedHat | openshift-gitops-1/dex-rhel8:v1.11.3-2 | * |
| Red Hat OpenShift GitOps 1.11 | RedHat | openshift-gitops-1/gitops-operator-bundle:v1.11.3-2 | * |
| Red Hat OpenShift GitOps 1.11 | RedHat | openshift-gitops-1/gitops-rhel8:v1.11.3-2 | * |
| Red Hat OpenShift GitOps 1.11 | RedHat | openshift-gitops-1/gitops-rhel8-operator:v1.11.3-2 | * |
| Red Hat OpenShift GitOps 1.11 | RedHat | openshift-gitops-1/kam-delivery-rhel8:v1.11.3-2 | * |
| Red Hat OpenShift GitOps 1.11 | RedHat | openshift-gitops-1/must-gather-rhel8:v1.11.3-2 | * |
| Red Hat OpenShift GitOps 1.12 | RedHat | openshift-gitops-argocd-cli-0:1.12.1-5.el8 | * |
| Red Hat OpenShift GitOps 1.12 | RedHat | openshift-gitops-1/argocd-rhel8:v1.12.1-1 | * |
| Red Hat OpenShift GitOps 1.12 | RedHat | openshift-gitops-1/argo-rollouts-rhel8:v1.12.1-1 | * |
| Red Hat OpenShift GitOps 1.12 | RedHat | openshift-gitops-1/console-plugin-rhel8:v1.12.1-1 | * |
| Red Hat OpenShift GitOps 1.12 | RedHat | openshift-gitops-1/dex-rhel8:v1.12.1-1 | * |
| Red Hat OpenShift GitOps 1.12 | RedHat | openshift-gitops-1/gitops-operator-bundle:v1.12.1-1 | * |
| Red Hat OpenShift GitOps 1.12 | RedHat | openshift-gitops-1/gitops-rhel8:v1.12.1-1 | * |
| Red Hat OpenShift GitOps 1.12 | RedHat | openshift-gitops-1/gitops-rhel8-operator:v1.12.1-1 | * |
| Red Hat OpenShift GitOps 1.12 | RedHat | openshift-gitops-1/kam-delivery-rhel8:v1.12.1-1 | * |
| Red Hat OpenShift GitOps 1.12 | RedHat | openshift-gitops-1/must-gather-rhel8:v1.12.1-1 | * |
| Red Hat OpenShift GitOps 1.12 - RHEL 9 | RedHat | microshift-gitops-0:1.12.1-4.el9 | * |
| Red Hat OpenShift GitOps 1.12 - RHEL 9 | RedHat | openshift-gitops-argocd-cli-0:1.12.1-4.el9 | * |
| Red Hat OpenShift GitOps 1.12 - RHEL 9 | RedHat | openshift-gitops-argocd-rhel9-container-v1.12.1-2 | * |
Mitigation of resource exhaustion attacks requires that the target system either:
The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.