Quick Start
Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.3.8/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.3.8/manifests/ha/install.yaml
Security fixes
CVE-2022-39222 is a backchannel attack against the Dex OIDC provider. If you are impacted Argo CD, an attacker could use the process described in the vulnerability description to steal an Argo CD token from some Argo CD user. The attacker could then impersonate the targeted user and act with the victim's privileges.
Am I impacted?
This Dex vulnerability impacts Argo CD users who either 1) use the bundled Dex instance for OIDC or 2) use an external Dex instance running Dex <= 2.34.x.
If you do not use Dex, then you are not impacted.
Bundled Dex
To determine if you use the bundled Dex instance, run this command, replacing argocd
with the namespace where your Argo CD instance is installed:
kubectl get cm -n argocd argocd-cm -ojson | jq '.data["dex.config"] != null'
If that command prints true
, then you use the bundled Dex instance, and you should upgrade.
External Dex
To determine if you use an external Dex instance, run this command:
kubectl get cm -n argocd argocd-cm -ojson | jq '.data["oidc.config"]'
That will print your Argo CD instance's OIDC config. It might be obvious whether the OIDC provider is Dex (for example, the word dex
might be in the URL). Or you might have to contact whoever manages the configured OIDC provider to ask.
You will also have to check with whoever manages the Dex instance to determine if it is still running a vulnerable version (<= 2.34.x).
How can I resolve the vulnerability as a user of the bundled Dex instance?
Upgrading Dex is the only way to resolve the vulnerability.
If you're using the manifests from the argo-cd repository to install Argo CD, the easiest way to resolve the vulnerability is to use the latest release's manifests, which point to the Dex 2.35.0 image. If you do not want to upgrade the full manifest, then you can manually change the Dex image tags in your deployed manifests to use a >= 2.35.0 tag.
If you're using the argo-helm argo-cd chart, you can either upgrade to 5.5.8 which points to the new Dex version, or you can set the dex.image.tag
parameter to a >= 2.35.0 tag.
To confirm that you are using a patched version of Dex, use this command (replacing argocd
with the namespace where your Argo CD instance is deployed):
kubectl get deployment -n argocd argocd-dex-server -ojson | jq '.spec.template.spec.containers[0].image'
The image tag should point to a Dex version >= 2.35.0.