Loading...

XML

Word

Printable

Type: Vulnerability
Resolution: Done
Priority: Major
Fix Version/s: 1.16.2
Affects Version/s: 1.16.0
Component/s: Operator
Labels:

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Release Note Text:

Hide
Before this update, user-workload monitoring support for workloads did not require any configuration by default. Argo CD monitoring worked automatically when deployed in any namespace. With this update, monitoring support for Argo CD deployed in non-{OCP} namespaces requires user-workload monitoring to be enabled in {OCP}. For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/monitoring/configuring-user-workload-monitoring#configurable-monitoring-components_preparing-to-configure-the-monitoring-stack-uwm[Enabling monitoring for user-defined projects]. link:https://issues.redhat.com/browse/GITOPS-7037[~~GITOPS-7037~~]

Show
Before this update, user-workload monitoring support for workloads did not require any configuration by default. Argo CD monitoring worked automatically when deployed in any namespace. With this update, monitoring support for Argo CD deployed in non-{OCP} namespaces requires user-workload monitoring to be enabled in {OCP}. For more information, see link: https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/monitoring/configuring-user-workload-monitoring#configurable-monitoring-components_preparing-to-configure-the-monitoring-stack-uwm [Enabling monitoring for user-defined projects]. link: https://issues.redhat.com/browse/GITOPS-7037 [ GITOPS-7037 ]
Git Pull Request:
https://github.com/redhat-developer/gitops-operator/pull/897
Intelligence Requested:
Market:
Source:
Red Hat
CVE ID:
CVE-2024-13484
CVSS Score:
8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE ID:
CWE-668
Downstream Component Name:
openshift-gitops-operator-container
Upstream Affected Component:
openshift-gitops-operator-container
Embargo Status:
False

Sprint:
GitOps Crimson Sprint 16
Severity:
Moderate

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Security Tracking Issue

Do not make this issue public.

Flaw:

Namespace Isolation Break
https://bugzilla.redhat.com/show_bug.cgi?id=2269376

Currently argocd applies the label openshift.io/cluster-monitoring to all namespaces that deploy a ArgoCD CR instance. This then allows the namespace
to create a rogue PrometheusRule that can then have adverse effects on the platform monitoring stack. As the label is applied the rule is rolled out
cluster wide.

This gives anyone who has argocd instances deployed a way to escalate out of their namespace isolation and affect the entire cluster.

~~~

Tracker accuracy feedback form: https://docs.google.com/forms/d/e/1FAIpQLSfa6zTaEGohRdiIqGVAvWTSAL0kpO_DkkEICuIHzQHFwmKswg/viewform

links to

https://github.com/redhat-developer/gitops-operator/pull/853

https://github.com/redhat-developer/gitops-operator/pull/867

https://github.com/redhat-developer/gitops-operator/pull/868

https://github.com/redhat-developer/gitops-operator/pull/869

openshift/openshift-docs#94812: RHDEVDOCS-6474: Content creation for GitOps 1.16.2 RN