Loading...

XML

Word

Printable

Type: Vulnerability
Resolution: Done
Priority: Critical
Fix Version/s: 1.15.2
Affects Version/s: 1.15.0
Component/s: Operator
Labels:

Story Points:
3
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Release Note Text:

Hide
With this change, user will need to enable user-workload in OpenShift monitoring[1] to enable argo-cd monitoring capability on a non OpenShift namespace.

1. https://docs.redhat.com/en/documentation/openshift_container_platform/4.8/html/monitoring/enabling-monitoring-for-user-defined-projects#enabling-monitoring-for-user-defined-projects_enabling-monitoring-for-user-defined-projects

Show
With this change, user will need to enable user-workload in OpenShift monitoring[1] to enable argo-cd monitoring capability on a non OpenShift namespace. 1. https://docs.redhat.com/en/documentation/openshift_container_platform/4.8/html/monitoring/enabling-monitoring-for-user-defined-projects#enabling-monitoring-for-user-defined-projects_enabling-monitoring-for-user-defined-projects
Git Pull Request:
https://github.com/redhat-developer/gitops-operator/pull/869, https://github.com/redhat-developer/gitops-operator/pull/853
Intelligence Requested:
Market:
Source:
Red Hat
CVE ID:
CVE-2024-13484
CVSS Score:
8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE ID:
CWE-668
Downstream Component Name:
openshift-gitops-operator-container
Upstream Affected Component:
openshift-gitops-operator-container
Embargo Status:
False

Sprint:
GitOps Crimson Sprint 3270, GitOps Crimson Sprint 3271, GitOps Crimson Sprint 13
Severity:
Moderate

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Security Tracking Issue

Do not make this issue public.

Flaw:

Namespace Isolation Break
https://bugzilla.redhat.com/show_bug.cgi?id=2269376

Currently argocd applies the label openshift.io/cluster-monitoring to all namespaces that deploy a ArgoCD CR instance. This then allows the namespace
to create a rogue PrometheusRule that can then have adverse effects on the platform monitoring stack. As the label is applied the rule is rolled out
cluster wide.

This gives anyone who has argocd instances deployed a way to escalate out of their namespace isolation and affect the entire cluster.

~~~

links to

openshift/openshift-docs#92626: RHDEVDOCS-6444: Content creation for GitOps 1.15.2

RHSA-2025:146544 Errata Advisory for Red Hat OpenShift GitOps v1.15.2 security update

Assignee:: Anand Singh

Reporter:: Guilherme Suckevicz

Contributors:: Anand Francis Joseph, Jayachandra Prabhakar, William Tam

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Due:: 2025/05/05

Created:: 2025/02/12 2:41 PM

Updated:: 2025/05/19 12:07 PM

Resolved:: 2025/04/03 12:41 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates