Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: secure redis authentication [CVE-2024-31989] (#1364) #1371

Merged
merged 1 commit into from
May 22, 2024

Conversation

iam-veeramalla
Copy link
Collaborator

What type of PR is this?

/kind bug

What does this PR do / why we need it:
Fix CVE-2024-31989

It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.

Have you updated the necessary documentation?
NA

Which issue(s) this PR fixes:

Fixes CVE-2024-31989

How to test changes / Special notes to the reviewer:

@iam-veeramalla iam-veeramalla merged commit 2143144 into argoproj-labs:release-0.8 May 22, 2024
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant