CVE-2021-43832 - FavExploit: Spinnaker RCE Vulnerability in Gate


Issue

Armory has since published updates to the code for OSS and Armory Enterprise.

The Spinnaker Security SIG received a report of a previously undisclosed RCE attack vector that bypasses authentication in Spinnaker.

This exploit allows an actor to make any resourced API call through Gate without authentication. The documented exploit affects any Spinnaker version within the last four years, but was only discovered on Dec 14th, 2021

Armory has created a placeholder CVE that has not been made public yet.  We ask that customers upgrade to a version with the fix as soon as possible.

Update Jan 3, 2022: The following CVE was published and made available today to the general public https://cve.report/CVE-2021-43832

Update Oct 28, 2022: Added CVE# to title for formatting purposes.  

Cause

RCE attack vector discovered 

CVE-2021-43832 will be tracking this issue.  This article will be updated with a link to the CVE once it has been made public

Solution

Armory has made updates to both OSS Spinnaker and Armory Enterprise to address the issue. 

Customers who are running any version of Spinnaker need to upgrade to a supported version with the fix. 

Due to the immediate and critical nature of this vulnerability, please note that the updates do not include the extra preventative measures Armory has roadmapped for the log4j CVE. These additional preventative measures will be applied in an upcoming update. For more information on Armory’s assessment of log4j please see the following article: https://support.armory.io/support?id=kb_article_view&sysparm_article=KB0010516

Armory Enterprise

2.24.x-2.27.x

Customers should follow upgrade steps outlined below

For Halyard: https://docs.armory.io/armory-enterprise/installation/guide/upgrade-spinnaker/

For Operator: https://docs.armory.io/armory-enterprise/installation/armory-operator/op-manage-spinnaker/#upgrade-armory-enterprise

Please note that there are some additional fixes and changes for the Armory releases, and customers can review the list of changes in the release notes https://docs.armory.io/armory-enterprise/release-notes/rn-armory-spinnaker/

Customers should look to upgrade to the following versions or newer:

2.24.x -> 2.24.3

2.25.x -> 2.25.1

2.26.x -> 2.26.4

2.27.x -> 2.27.2

 

OSS

Customers should follow the upgrade steps outlined below

For Halyard: https://spinnaker.io/docs/setup/install/upgrades/

For Operator, please refer to the Armory Documentation: https://docs.armory.io/armory-enterprise/installation/armory-operator/op-manage-spinnaker/#upgrade-armory-enterprise

Please note that all OSS version changes only include the resolution for this issue

1.25.x-1.26.x

1.25.x -> 1.25.8

1.26.x -> 1.26.7

 

Once the CVE is publicly available, this KB article will be published publicly.

As Tested On Version

Affects all, resolutions for specific versions 2.24.x, 2.25.x, 2.26.x, 2.27.x, 1.25.x, 1.26.x, 1.27.x