If you have enabled single sign on (SSO), then you should patch Argo CD as soon as possible. We recommend performing the patch as soon as possible for the following reasons: * It is a low-severity vulnerability (as opposed to a critical security flaw), which means that it is unlikely to result in a complete system compromise. * It is a cross-site scripting vulnerability, which means that fixing it would likely be a relatively quick and easy task. * It appears to affect Argo CD versions prior to 2.3.6, which means that it is unlikely that hackers would have access to a large number of vulnerable installations. If you have enabled single sign on (SSO) and have not yet patched your Argo CD installation, we recommend that you do so immediately.
How Did I Know About This Vulnerability?
The vulnerability is not public knowledge, and Argo CD does not have a public issue tracking system. We cannot answer the question of how you know about this vulnerability--though we recommend that you reach out to your Argo CD administrator if you are unsure.
What is Argo CD SSO?
Argo CD single sign on (SSO) allows users to log into a website using their Argo ID. It is a requirement for all Argo CD installations and is enabled by default in new installations.
How to patch Argo CD for single sign on (SSO) vulnerability
Step 1: Open an SSH connection to your Argo CD installation.
Step 2: Backup all files in the directory /opt/ArgoCD/
Step 3: Move the backup files to the new installation directory /opt/ArgoCD/backup (or wherever you want to keep them)
Step 4: Navigate to the 'src' directory of your Argo CD installation, and run the following command.
cp -rpf src/js/*_SSO_* src/js/*_SSO-orig*
Step 5: Navigate back to your original installation directory and delete all files in this directory
rm -rf /opt/ArgoCD
How to patch Argo CD for CVE-2022-31102
Perform the following steps to patch Argo CD installations for CVE-2022-31102:
1) Download and install the latest Argo CD.2) Update the web server installation from your website's control panel.3) Edit the web server's configuration file to include the following line: "cgi.fix_pathinfo=1"4) Restart all web servers in your Argo CD installation
Timeline
Published on: 07/12/2022 22:15:00 UTC
Last modified on: 07/20/2022 15:46:00 UTC