Open Source Technology Improvement Fund is happy to report the results of yet another security audit, this time of the Argo project. The Argo project is a collection of tools for getting work done with Kubernetes. The main components of Argo audited are: 

  1. Argo Workflows – Container-native Workflow Engine
  2. Argo CD – Declarative GitOps Continuous Delivery
  3. Argo Events – Event-based Dependency Manager

The research findings resulted in 26 security issues including 1 critical and 4 high severity bugs that were fixed. The most significant finding is an XSS injection in ArgoCD https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6×78-8vrj that allows an attacker to execute javascript code in the UI, which could allow an attacker to take admin control of the kubernetes cluster.

Additionally, the Ada Logics team built 7 new fuzzers to integrate into the ossfuzz testing suite for Argo that focus on security relevant functions. The Argo team and community demonstrated a strong commitment to improving the project’s security posture. See the full report and Argo team’s synopsis below for detailed information.

Thank you to Cloud Native Computing Foundation (CNCF) for funding this audit and entrusting Open Source Technology Improvement Fund to facilitate it. 

Special thanks to David Korczynski and Adam Korczynski of Ada Logics for auditing the software and to the Argo team Alex Collins, Derek Wang, Hari Rongali, Henrik Blixt, Jann Fischer, Michael Crenshaw and Jesse Suen for their committed support. Strong collaboration between the review team and project maintainers helps the audit process be more impactful, especially with the help of the community. 

Everyone around the world depends on OSS. We’d love to do more security audits to proactively find and fix vulnerabilities! If you’re interested in financially supporting this work, contact [email protected].

References: 

Argo Full Audit Report: https://ostif.org/wp-content/uploads/2022/07/ostif_argo_security_audit_2022.pdf

Ada Logics Blog: https://adalogics.com/blog/argo-security-audit

Argo Blog:

Cloud Native Computing Fund Announcement: