| id: GO-TEST-ID |
| modules: |
| - module: github.com/argoproj/argo-cd |
| versions: |
| - introduced: 0.4.0 |
| fixed: 2.2.11 |
| - module: github.com/argoproj/argo-cd |
| versions: |
| - introduced: 2.3.0 |
| fixed: 2.3.6 |
| - module: github.com/argoproj/argo-cd |
| versions: |
| - introduced: 2.4.0 |
| fixed: 2.4.5 |
| summary: Argo CD certificate verification is skipped for connections to OIDC providers |
| description: |- |
| ### Impact |
| |
| All versions of Argo CD starting with v0.4.0 are vulnerable to an improper |
| certificate validation bug which could cause Argo CD to trust a malicious (or |
| otherwise untrustworthy) OIDC provider. |
| |
| (Note: external OIDC provider support was added in v0.11.0. Before that version, |
| the notes below apply only to the bundled Dex instance.) |
| |
| You are impacted if 1) have SSO enabled and 2) insecure mode is _not_ enabled on |
| the API server. In this case, certificate verification is skipped when |
| connecting to your OIDC provider for the following tasks: verifying auth tokens |
| on API requests and handling SSO login flows. If you are using the bundled Dex |
| instance but have _not_ set the `--dex-server` flag on the API server to an |
| HTTPS address, then certificate verification is not being skipped (because [TLS |
| is not enabled by default for the bundled Dex |
| instance](https://github.com/argoproj/argo-cd/issues/9424)). |
| |
| Argo CD sends requests to the configured OIDC provider (either the bundled Dex |
| instance or an external provider) to 1) retrieve the [OpenID |
| configuration](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig), |
| 2) to retrieve the OIDC provider's key set (at the location determined by the |
| [OIDC provider's configured |
| `jwks_uri`](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)), |
| and 3) (during an SSO login) to exchange an authorization code for a token. |
| |
| (Note: Starting with v2.3.0, certificate verification is _not_ skipped when |
| handling an SSO login flow if 1) you are not using the bundled Dex OIDC provider |
| and 2) you have set `oidc.config.rootCA` in the `argocd-cm` ConfigMap. |
| Certificate verification is still skipped when verifying tokens on API calls.) |
| |
| Skipping certificate verification when communicating with the OIDC provider |
| opens Argo CD to a variety of risks. For example, if an attacker can |
| successfully intercept, decrypt, and respond to requests bound for the |
| configured OIDC provider (a machine-in-the-middle attack), they could |
| theoretically issue a "valid" admin token. Verifying the OIDC provider's |
| certificate provides an extra layer of protection against such an attack. |
| |
| ### Patches |
| |
| A patch for this vulnerability has been released in the following Argo CD |
| versions: |
| |
| * v2.4.5 |
| * v2.3.6 |
| * v2.2.11 |
| |
| **Note:** |
| |
| To preserve backwards compatibility, this patch adds a |
| `oidc.tls.insecure.skip.verify` option to the `argocd-cm` ConfigMap. The default |
| is `"false"`. Before resorting to setting this, you should try to get |
| certificate verification to work. If you are using the bundled Dex instance, |
| user your Argo CD API server's [TLS |
| configuration](https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/) |
| since the API server acts as a reverse proxy to Dex. If you are using an |
| external OIDC provider, [set the `rootCA` |
| config](https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#configuring-a-custom-root-ca-certificate-for-communicating-with-the-oidc-provider). |
| |
| If these fail, be sure you are aware of the risks before setting |
| `oidc.tls.insecure.skip.verify: "true"`. |
| |
| ### Workarounds |
| |
| There is no complete workaround besides upgrading. |
| |
| #### Partial mitigation when using an external OIDC provider |
| |
| If you are using an external OIDC provider (not the bundled Dex instance), then |
| you can mitigate the issue by setting the `oidc.config.rootCA` field in the |
| `argocd-cm` ConfigMap. If your OIDC provider's certificate is self-signed or |
| otherwise invalid, you must set the rootCA to a certificate that enables |
| verification. If the OIDC provider's certificate passes _without_ an additional |
| root CA, then you can set `oidc.config.rootCA` to a bogus non-empty string such |
| as `"force cert verification"`. The API server will log a warning, but otherwise |
| things should work fine. |
| |
| Example: |
| |
| ```yaml metadata: name: argocd-cm data: oidc.config: | ... rootCA: | force cert |
| verification ``` |
| |
| This mitigation _only_ forces certificate validation when the API server handles |
| login flows. It does not force certificate verification when verifying tokens on |
| API calls. To fully resolve the vulnerability, you must upgrade. |
| |
| ### References |
| |
| * [Argo CD SSO configuration |
| documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sso) |
| |
| ### Credits |
| |
| @jannfis and @crenshaw-dev discovered the vulnerability when reviewing notes |
| from ADA Logics' security audit of the Argo project sponsored by CNCF and |
| facilitated by OSTIF. Thanks to Adam Korczynski and David Korczynski for their |
| work on the audit. |
| |
| ### For more information |
| |
| * Open an issue in [the Argo CD issue |
| tracker](https://github.com/argoproj/argo-cd/issues) or |
| [discussions](https://github.com/argoproj/argo-cd/discussions) |
| * Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel |
| #argo-cd |
| cves: |
| - CVE-2022-31105 |
| ghsas: |
| - GHSA-7943-82jg-wmw5 |
| references: |
| - web: https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5 |
| - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-31105 |
| - package: https://github.com/argoproj/argo-cd |
| - web: https://github.com/argoproj/argo-cd/releases/tag/v2.3.6 |
| - web: https://github.com/argoproj/argo-cd/releases/tag/v2.4.5 |
| notes: |
| - 'lint: github.com/argoproj/argo-cd: bad version "2.2.11": github.com/argoproj/argo-cd@v2.2.11: invalid version: should be v0 or v1, not v2' |
| - 'lint: github.com/argoproj/argo-cd: bad version "2.3.0": github.com/argoproj/argo-cd@v2.3.0: invalid version: should be v0 or v1, not v2' |
| - 'lint: github.com/argoproj/argo-cd: bad version "2.4.0": github.com/argoproj/argo-cd@v2.4.0: invalid version: should be v0 or v1, not v2' |
| - 'lint: redundant non-advisory reference to GHSA-7943-82jg-wmw5' |