CVE-2021-43832
📋 TL;DR
CVE-2021-43832 is a critical authentication bypass vulnerability in Spinnaker, an open-source continuous delivery platform. It allows any user with access to the gate endpoint to create and execute pipelines without authentication, potentially leading to unauthorized deployment of resources across cloud accounts. This affects all Spinnaker users who have not configured Role-Based Access Control (RBAC).
💻 Affected Systems
- Spinnaker
📦 What is this software?
Spinnaker by Linuxfoundation
Spinnaker by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
An attacker could remotely execute arbitrary pipelines to deploy malicious resources, compromise cloud infrastructure, and cause widespread data breaches or service disruption across all connected accounts.
Likely Case
Unauthorized users could create and run pipelines to deploy unintended applications or configurations, leading to operational issues, data exposure, or resource misuse in cloud environments.
If Mitigated
With RBAC properly enabled and application access restricted, the impact is limited to authorized users only, preventing unauthorized pipeline creation and execution.
🎯 Exploit Status
Exploitation is straightforward as it involves sending unauthenticated requests to the gate endpoint; no advanced skills required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest releases of supported branches (e.g., 1.27.4, 1.26.6, 1.25.10); refer to vendor advisory for exact versions.
Vendor Advisory: https://github.com/spinnaker/spinnaker/security/advisories/GHSA-9h7c-rfrp-gvgp
Restart Required: Yes
Instructions:
1. Identify your Spinnaker version. 2. Upgrade to the latest patched version for your branch. 3. Restart Spinnaker services to apply the patch. 4. Verify RBAC is enabled post-upgrade.
🔧 Temporary Workarounds
Enable RBAC on All Accounts and Applications
allConfigure Role-Based Access Control to restrict pipeline creation and execution to authorized users only.
# Configure RBAC via Spinnaker settings or Halyard commands, e.g., hal config security authz enable
# Apply changes: hal deploy apply
Restrict Application Access with Wildcards
allBlock application creation and access unless explicit permissions are set using wildcard patterns.
# In Spinnaker configuration files, set permissions to restrict application access, e.g., in settings-local.yml
🧯 If You Can't Patch
- Immediately enable RBAC on ALL accounts and applications to mitigate unauthorized pipeline execution.
- Block network access to the gate endpoint for untrusted users and restrict application creation via appropriate wildcards.
🔍 How to Verify
Check if Vulnerable:
Check if RBAC is disabled and if unauthenticated requests to the gate endpoint (e.g., /pipelines) succeed; review Spinnaker configuration files for auth settings.Check Version:
hal version list or check Spinnaker service logs for version info.Verify Fix Applied:
After patching, confirm RBAC is enabled and test that unauthenticated requests to create or execute pipelines are denied; verify version is updated.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to pipeline creation endpoints in gate logs
- Unexpected pipeline executions or deployments from unknown users
Network Indicators:
- Unusual HTTP POST requests to /pipelines or similar gate endpoints from unauthorized IPs
SIEM Query:
Example: 'source="spinnaker-gate" AND (url_path="/pipelines" OR action="createPipeline") AND user="anonymous"'