¡¾Îó²îͨ¸æ¡¿Argo CD¾Ü¾øÐ§ÀÍÎó²î£¨CVE-2024-40634£©
Ðû²¼Ê±¼ä 2024-07-23Ò»¡¢Îó²î¸ÅÊö
Îó²îÃû³Æ | Argo CD¾Ü¾øÐ§ÀÍÎó²î | ||
CVE ID | CVE-2024-40634 | ||
Îó²îÀàÐÍ | Dos | ·¢Ã÷ʱ¼ä | 2024-07-04 |
Îó²îÆÀ·Ö | 7.5 | Îó²îÆ·¼¶ | ¸ßΣ |
¹¥»÷ÏòÁ¿ | ÍøÂç | ËùÐèȨÏÞ | ÎÞ |
ʹÓÃÄÑ¶È | µÍ | Óû§½»»¥ | ÎÞ |
PoC/EXP | ÒѹûÕæ | ÔÚҰʹÓà | δ·¢Ã÷ |
Argo CDÊÇÓÃÓÚKubernetesµÄÉùÃ÷ʽGitOpsÒ»Á¬½»¸¶¹¤¾ß¡£¡£¡£¡£¡£¡£
2024Äê7ÔÂ23ÈÕ£¬£¬£¬£¬£¬¼øºÚµ£±£Íø¼¯ÍÅVSRC¼à²âµ½Argo CDÖÐÐÞ¸´ÁËÒ»¸ö¾Ü¾øÐ§ÀÍÎó²î£¨CVE-2024-40634£©£¬£¬£¬£¬£¬ÆäCVSSÆÀ·ÖΪ7.5£¬£¬£¬£¬£¬ÏÖÔÚ¸ÃÎó²îµÄϸ½Ú¼°PoCÒѹûÕæ¡£¡£¡£¡£¡£¡£
Argo CD¶à¸öÊÜÓ°Ïì°æ±¾Öб£´æ¾Ü¾øÐ§ÀÍÎó²î£¬£¬£¬£¬£¬Î´¾Éí·ÝÑéÖ¤µÄÔ¶³ÌÍþвÕß¿ÉÒÔÏò /api/webhook¶Ëµã£¨Ä¬ÈÏÇéÐÎϲ»ÐèÒªÉí·ÝÑéÖ¤£©·¢ËÍÌØÖÆ¶ñÒâÇëÇ󣬣¬£¬£¬£¬´Ó¶øµ¼ÖÂÄÚ´æ·ÖÅɹý¶à£¬£¬£¬£¬£¬½ø¶ø´¥·¢ÄÚ´æÈ±·¦ (OOM) ÖÕÖ¹£¬£¬£¬£¬£¬Ôì³É¾Ü¾øÐ§ÀÍ¡£¡£¡£¡£¡£¡£
¶þ¡¢Ó°Ïì¹æÄ£
1.0.0 <= Argo CD <= 1.8.7
Argo CD < 2.9.20
2.10.0 <= Argo CD < 2.10.15
2.11.0 <= Argo CD < 2.11.6
Èý¡¢Çå¾²²½·¥
3.1 Éý¼¶°æ±¾
ÏÖÔÚ¸ÃÎó²îÒѾÐÞ¸´£¬£¬£¬£¬£¬ÊÜÓ°ÏìÓû§¿ÉÉý¼¶µ½Argo CD v2.11.6¡¢v2.10.15¡¢v2.9.20»ò¸ü¸ß°æ±¾¡£¡£¡£¡£¡£¡£
ÏÂÔØÁ´½Ó£º
https://github.com/argoproj/argo-cd/releases
3.2 ÔÝʱ²½·¥
ʵÑéÉí·ÝÑéÖ¤¡£¡£¡£¡£¡£¡£È·±£/api/webhook ¶ËµãÒªÇóÉí·ÝÑéÖ¤£¬£¬£¬£¬£¬ÑéÖ¤ËùÓлá¼ûwebhook ¶ËµãµÄÇëÇóÊÇ·ñÀ´×Ô¿ÉÐŵÄÔ´£¬£¬£¬£¬£¬²¢ÇÒ¾ßÓÐÊʵ±µÄȨÏÞ¡£¡£¡£¡£¡£¡£
ÏÞÖÆÇëÇó¾Þϸ¡£¡£¡£¡£¡£¡£ÔÚЧÀÍÆ÷»òÓ¦ÓòãÃæÊµÑéÇëÇóÌå¾ÞϸÏÞÖÆ£¬£¬£¬£¬£¬¿É±ÜÃâЧÀÍÆ÷ʵÑéÆÊÎö¹ý´óµÄÇëÇ󣬣¬£¬£¬£¬´Ó¶ø×èÖ¹ÄÚ´æºÄ¾¡¡£¡£¡£¡£¡£¡£
¼à¿ØºÍÈÕÖ¾¼Í¼¡£¡£¡£¡£¡£¡£¶Ô/api/webhook ¶Ëµã¾ÙÐÐ¼à¿Ø£¬£¬£¬£¬£¬ÒÔ¼ì²âÒì³£ÐÐΪ£¨Èç´ó×ÚÀ´×ÔͳһԴµÄÇëÇ󣩣¬£¬£¬£¬£¬¼Í¼ËùÓлá¼ûwebhook ¶ËµãµÄÇëÇóµÄÏêϸÐÅÏ¢£¬£¬£¬£¬£¬ÒÔ±ãÔÚ±¬·¢Çå¾²ÊÂÎñʱ¾ÙÐÐʺóÆÊÎö¡£¡£¡£¡£¡£¡£
3.3 ͨÓý¨Òé
l °´ÆÚ¸üÐÂϵͳ²¹¶¡£¬£¬£¬£¬£¬ïÔÌϵͳÎó²î£¬£¬£¬£¬£¬ÌáÉýЧÀÍÆ÷µÄÇå¾²ÐÔ¡£¡£¡£¡£¡£¡£
l ÔöǿϵͳºÍÍøÂçµÄ»á¼û¿ØÖÆ£¬£¬£¬£¬£¬Ð޸ķÀ»ðǽսÂÔ£¬£¬£¬£¬£¬¹Ø±Õ·ÇÐëÒªµÄÓ¦Óö˿ڻòЧÀÍ£¬£¬£¬£¬£¬ïÔ̽«Î£ÏÕЧÀÍ£¨ÈçSSH¡¢RDPµÈ£©Ì»Â¶µ½¹«Íø£¬£¬£¬£¬£¬ïÔ̹¥»÷Ãæ¡£¡£¡£¡£¡£¡£
l ʹÓÃÆóÒµ¼¶Çå¾²²úÆ·£¬£¬£¬£¬£¬ÌáÉýÆóÒµµÄÍøÂçÇå¾²ÐÔÄÜ¡£¡£¡£¡£¡£¡£
l ÔöǿϵͳÓû§ºÍȨÏÞÖÎÀí£¬£¬£¬£¬£¬ÆôÓöàÒòËØÈÏÖ¤»úÖÆºÍ×îСȨÏÞÔÔò£¬£¬£¬£¬£¬Óû§ºÍÈí¼þȨÏÞÓ¦¼á³ÖÔÚ×îµÍÏÞ¶È¡£¡£¡£¡£¡£¡£
l ÆôÓÃÇ¿ÃÜÂëÕ½ÂÔ²¢ÉèÖÃΪ°´ÆÚÐ޸ġ£¡£¡£¡£¡£¡£
3.4 ²Î¿¼Á´½Ó
https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w
https://nvd.nist.gov/vuln/detail/CVE-2024-40634
ËÄ¡¢°æ±¾ÐÅÏ¢
°æ±¾ | ÈÕÆÚ | ±¸×¢ |
V1.0 | 2024-07-23 | Ê×´ÎÐû²¼ |
Îå¡¢¸½Â¼
5.1 ¼øºÚµ£±£Íø¼ò½é
¼øºÚµ£±£Íø½¨ÉèÓÚ1996Ä꣬£¬£¬£¬£¬ÊÇÓÉÁôÃÀ²©Ê¿ÑÏÍû¼ÑŮʿ½¨ÉèµÄ¡¢ÓµÓÐÍêÈ«×ÔÖ÷֪ʶ²úȨµÄÐÅÏ¢Çå¾²¸ß¿Æ¼¼ÆóÒµ¡£¡£¡£¡£¡£¡£ÊǺ£ÄÚ×î¾ßʵÁ¦µÄÐÅÏ¢Çå¾²²úÆ·¡¢Ç徲ЧÀͽâ¾ö¼Æ»®µÄÁ캽ÆóÒµÖ®Ò»¡£¡£¡£¡£¡£¡£
¹«Ë¾×ܲ¿Î»ÓÚ±±¾©ÊÐÖйشåÈí¼þÔ°¼øºÚµ£±£Íø´óÏ㬣¬£¬£¬£¬¹«Ë¾Ô±¹¤6000ÓàÈË£¬£¬£¬£¬£¬Ñз¢ÍŶÓ1200ÓàÈË, ÊÖÒÕЧÀÍÍŶÓ1300ÓàÈË¡£¡£¡£¡£¡£¡£ÔÚÌìϸ÷Ê¡¡¢ÊС¢×ÔÖÎÇøÉèÁ¢·ÖÖ§»ú¹¹ÁùÊ®¶à¸ö£¬£¬£¬£¬£¬ÓµÓÐÁýÕÖÌìϵÄÏúÊÛϵͳ¡¢ÇþµÀϵͳºÍÊÖÒÕÖ§³Öϵͳ¡£¡£¡£¡£¡£¡£¹«Ë¾ÓÚ2010Äê6ÔÂ23ÈÕÔÚÉîÛÚÖÐС°å¹ÒÅÆÉÏÊС£¡£¡£¡£¡£¡££¨¹ÉƱ´úÂ룺002439£©
¶àÄêÀ´£¬£¬£¬£¬£¬¼øºÚµ£±£ÍøÖÂÁ¦ÓÚÌṩ¾ßÓйú¼Ê¾ºÕùÁ¦µÄ×ÔÖ÷Á¢ÒìµÄÇå¾²²úÆ·ºÍ×î¼Ñʵ¼ùЧÀÍ£¬£¬£¬£¬£¬×ÊÖú¿Í»§ÖÜÈ«ÌáÉýÆäIT»ù´¡ÉèÊ©µÄÇå¾²ÐÔºÍÉú²úЧÄÜ£¬£¬£¬£¬£¬Îª´òÔìºÍÌáÉý¹ú¼Ê»¯µÄÃñ×åÐÅÏ¢Çå¾²¹¤ÒµÁì¾üÆ·ÅÆ¶ø²»Ð¸Æð¾¢¡£¡£¡£¡£¡£¡£
5.2 ¹ØÓÚ¼øºÚµ£±£Íø
¼øºÚµ£±£ÍøÇå¾²Ó¦¼±ÏìÓ¦ÖÐÐÄÒÑÐû²¼1000¶à¸öÎó²îͨ¸æºÍΣº¦Ô¤¾¯£¬£¬£¬£¬£¬ÎÒÃǽ«Ò»Á¬¸ú×ÙÈ«Çò×îеÄÍøÂçÇå¾²ÊÂÎñºÍÎó²î£¬£¬£¬£¬£¬ÎªÆóÒµµÄÐÅÏ¢Çå¾²±£¼Ý»¤º½¡£¡£¡£¡£¡£¡£
¹Ø×¢ÎÒÃÇ£º