Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-39395: Reference

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker’s VELA_RUNTIME_PRIVILEGED_IMAGES setting to be explicitly empty, leverage the VELA_REPO_ALLOWLIST setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.

CVE
#web#linux#git#oauth#auth

This section contains a reference of configuration options for the Vela server service.

Components

The server is made up of several components, responsible for specific tasks, necessary for the service to operate:

Name

Description

compiler

transforms a pipeline into an executable workload for the worker

database

integrates with a database provider for storing application data at rest

queue

integrates with a queue provider for pushing workloads that will be run by a worker

secret

integrates with a secret provider for storing sensitive application data at rest

source

integrates with a source control management (SCM) provider for authentication and authorization

Required

This section contains a list of all variables that must be provided to the server.

VELA_ADDR

This variable sets a fully qualified URL to the Vela server address.

The variable should be provided as a string.

VELA_DATABASE_ENCRYPTION_KEY

This configuration variable is used by the database component for the server.

Examples using this configuration variable are provided in the above reference documentation.

This variable sets the AES key for encrypting/decrypting values for data stored in the database.

The variable should be provided as an string.

VELA_QUEUE_ADDR

This configuration variable is used by the queue component for the server.

Examples using this configuration variable are provided in the above reference documentation.

This variable sets a fully qualified URL to the queue instance for pushing workloads that will be run by a worker.

The variable should be provided as a string.

VELA_QUEUE_DRIVER

This configuration variable is used by the queue component for the server.

Examples using this configuration variable are provided in the above reference documentation.

This variable sets the driver to use for the queue functionality for the server.

The variable should be provided as a string.

VELA_SCM_CLIENT

This configuration variable is used by the SCM component for the server.

This variable sets the client ID from the OAuth application created on the SCM system.

The variable should be provided as a string.

VELA_SCM_SECRET

This configuration variable is used by the SCM component for the server.

This variable sets the client secret from the OAuth application created on the SCM system.

The variable should be provided as a string.

VELA_SECRET

This variable sets a shared secret with the Vela worker for authenticating communication between workers and the server.

The variable should be provided as a string.

Optional

This section contains a list of all variables that can be provided to the server.

VELA_ACCESS_TOKEN_DURATION

This variable sets the maximum duration of time a Vela access token for a user is valid on the server.

The access token is used for authenticating user’s requests to the server.

The variable can be provided as a duration (i.e. 5s, 10m).

VELA_COMPILER_GITHUB

This configuration variable is used by the compiler component for the server.

Examples using this configuration variable are provided in the above reference documentation.

This variable enables using GitHub or GitHub Enterprise Server as a registry for fetching pipeline templates from.

By default, Vela will use GitHub as a registry for fetching templates.

However, to fetch templates from a private organization or repository on GitHub, you need to provide this configuration.

The variable can be provided as a boolean.

VELA_COMPILER_GITHUB_TOKEN

This configuration variable is used by the compiler component for the server.

Examples using this configuration variable are provided in the above reference documentation.

This variable sets a Personal Access Token (PAT) for fetching pipeline templates from GitHub or GitHub Enterprise Server.

By default, Vela will use GitHub as a registry for fetching templates.

However, to fetch templates from a private organization or repository on GitHub, you need to provide this configuration.

The variable can be provided as a string.

VELA_COMPILER_GITHUB_URL

This configuration variable is used by the compiler component for the server.

Examples using this configuration variable are provided in the above reference documentation.

This variable sets a fully qualified URL to GitHub or GitHub Enterprise Server used for fetching pipeline templates from.

By default, Vela will use GitHub as a registry for fetching templates.

However, to fetch templates from a private organization or repository on GitHub, you need to provide this configuration.

The variable can be provided as a string.

VELA_DATABASE_ADDR

This configuration variable is used by the database component for the server.

Examples using this configuration variable are provided in the above reference documentation.

This variable sets a fully qualified URL to the database instance for storing data at rest.

The variable can be provided as a string.

VELA_DATABASE_COMPRESSION_LEVEL

This configuration variable is used by the database component for the server.

This variable sets the level of compression for workload logs, uploaded by the Vela worker, which are stored in the database.

The variable can be provided as an integer.

VELA_DATABASE_CONNECTION_IDLE

This configuration variable is used by the database component for the server.

This variable sets the maximum number of idle connections allowed for the database client.

The variable can be provided as an integer.

VELA_DATABASE_CONNECTION_LIFE

This configuration variable is used by the database component for the server.

This variable sets the maximum duration of time a connection is reusable for the database client.

The variable can be provided as a duration (i.e. 5s, 10m).

VELA_DATABASE_CONNECTION_OPEN

This configuration variable is used by the database component for the server.

This variable sets the maximum number of open connections allowed for the database client.

The variable can be provided as an integer.

VELA_DATABASE_DRIVER

This configuration variable is used by the database component for the server.

Examples using this configuration variable are provided in the above reference documentation.

This variable sets the driver to use for the database functionality for the server.

The variable can be provided as a string.

VELA_DATABASE_SKIP_CREATION

This configuration variable is used by the database component for the server.

This variable enables skipping the creation of tables and indexes in the database system.

The variable can be provided as a boolean.

VELA_DEFAULT_BUILD_LIMIT

This variable sets the default amount of concurrent builds a repo is allowed to run.

In this context, concurrent builds refers to any pending or running builds for that repo.

If the amount of concurrent builds for a repo matches the limit, then any new builds will be blocked from being created.

The variable can be provided as an integer.

VELA_DEFAULT_BUILD_TIMEOUT

This variable sets the default duration of time a build is allowed to run on a worker.

The variable can be provided as an integer.

VELA_DISABLE_WEBHOOK_VALIDATION

This variable disables validation of webhooks sent by the SCM to the server.

The variable can be provided as a boolean.

VELA_ENABLE_SECURE_COOKIE

This enables using cookies with the secure flag set by the server.

The variable can be provided as a boolean.

VELA_MAX_BUILD_LIMIT

This variable sets the maximum amount of concurrent builds a repo is allowed to run.

In this context, concurrent builds refers to any pending or running builds for that repo.

If the amount of concurrent builds for a repo matches the limit, then any new builds will be blocked from being created.

The variable can be provided as an integer.

VELA_MODIFICATION_ADDR

This configuration variable is used by the compiler component for the server.

This variable sets a fully qualified URL to the modification endpoint used for the compiler.

The variable can be provided as a string.

VELA_MODIFICATION_RETRIES

This configuration variable is used by the compiler component for the server.

This variable sets the maximum number of times to resend failed requests to the modification endpoint for the compiler.

The variable can be provided as an integer.

VELA_MODIFICATION_SECRET

This configuration variable is used by the compiler component for the server.

This variable sets a shared secret for authenticating communication between the compiler and the modification endpoint.

The variable can be provided as a string.

VELA_MODIFICATION_TIMEOUT

This configuration variable is used by the compiler component for the server.

This variable sets the maximum duration of time the compiler will wait before timing out requests sent to the modification endpoint.

The variable can be provided as a duration (i.e. 5s, 10m).

VELA_PORT

This variable sets the port the server API responds on for HTTP requests.

The variable can be provided as a string.

VELA_QUEUE_CLUSTER

This configuration variable is used by the queue component for the server.

This variable enables the server to connect to a queue cluster rather than a standalone instance.

The variable can be provided as a boolean.

VELA_QUEUE_POP_TIMEOUT

This configuration variable is unused by the queue component for the server.

This variable sets the maximum duration of time the worker will wait before timing out requests sent for pushing workloads.

The variable can be provided as a duration (i.e. 5s, 10m).

VELA_QUEUE_ROUTES

This configuration variable is used by the queue component for the server.

This variable sets the unique channels or topics to push workloads to.

The variable can be provided as a comma-separated list (i.e. myRoute1,myRoute2).

VELA_REFRESH_TOKEN_DURATION

This variable sets the maximum duration of time a Vela refresh token for a user is valid on the server.

The refresh token is used for refreshing a user’s access token on the server.

The variable can be provided as a duration (i.e. 5s, 10m).

VELA_REPO_ALLOWLIST

This variable sets a group of repositories, from the SCM, that can be enabled on the server.

The variable can be provided as a comma-separated list (i.e. myOrg1/myRepo1,myOrg1/myRepo2,myOrg2/*).

VELA_SCM_ADDR

This configuration variable is used by the SCM component for the server.

This variable sets a fully qualified URL to the source control management (SCM) system.

The variable can be provided as a string.

VELA_SCM_CONTEXT

This configuration variable is used by the SCM component for the server.

This variable sets the message to set in the commit status on the SCM system.

The variable can be provided as a string.

VELA_SCM_DRIVER

This configuration variable is used by the SCM component for the server.

This variable sets the driver to use for the SCM functionality for the server.

The variable can be provided as a string.

VELA_SCM_SCOPES

This configuration variable is used by the SCM component for the server.

This variable sets the permission scopes to apply for OAuth credentials captured from the SCM system.

The variable can be provided as a comma-separated list (i.e. myScope1,myScope2).

VELA_SCM_WEBHOOK_ADDR

This configuration variable is used by the SCM component for the server.

This variable sets a fully qualified URL on the SCM system to send webhooks to the server.

The variable can be provided as a string.

VELA_SECRET_VAULT

This configuration variable is used by the secret component for the server.

Examples using this configuration variable are provided in the above reference documentation.

This variable enables using HashiCorp Vault as a secret engine.

The variable can be provided as a boolean.

VELA_SECRET_VAULT_ADDR

This configuration variable is used by the secret component for the server.

Examples using this configuration variable are provided in the above reference documentation.

This variable sets a fully qualified URL to the HashiCorp Vault instance.

The variable can be provided as a string.

VELA_SECRET_VAULT_AUTH_METHOD

This configuration variable is used by the secret component for the server.

This variable sets the authentication method to obtain a token from the HashiCorp Vault instance.

The variable can be provided as a string.

VELA_SECRET_VAULT_AWS_ROLE

This configuration variable is used by the secret component for the server.

This variable sets the HashiCorp Vault role to connect to the auth/aws/login endpoint.

The variable can be provided as a string.

VELA_SECRET_VAULT_PREFIX

This configuration variable is used by the secret component for the server.

This variable sets the prefix for k/v secrets in the HashiCorp Vault instance.

The variable can be provided as a string.

VELA_SECRET_VAULT_RENEWAL

This configuration variable is used by the secret component for the server.

This variable sets the frequency to renew the token for the HashiCorp Vault instance.

The variable can be provided as a duration (i.e. 5s, 10m).

VELA_SECRET_VAULT_TOKEN

This configuration variable is used by the secret component for the server.

Examples using this configuration variable are provided in the above reference documentation.

This variable sets the token for accessing the HashiCorp Vault instance.

The variable can be provided as a string.

VELA_SECRET_VAULT_VERSION

This configuration variable is used by the secret component for the server.

This variable sets the version for the k/v backend for the HashiCorp Vault instance.

The variable can be provided as a string.

VELA_WEBUI_ADDR

This variable sets a fully qualified URL to the Vela UI address.

The variable can be provided as a string.

VELA_WEBUI_OAUTH_CALLBACK_PATH

This variable sets the endpoint to use for the OAuth callback path for the Vela UI.

The variable can be provided as a string.

VELA_WORKER_ACTIVE_INTERVAL

This variable sets the interval of time the workers will be considered active. A worker is considered active if it has registered with the server inside the give duration.

The variable can be provided as a duration (i.e. 5s, 10m).

Related news

GHSA-5m7g-pj8w-7593: Vela Insecure Defaults

### Impact Some current default configurations for Vela allow exploitation and container breakouts. #### Default Privileged Images Running Vela plugins as privileged Docker containers allows a malicious user to easily break out of the container and gain access to the worker host operating system. On a fresh install of Vela without any additional configuration, the `target/vela-docker` plugin will run as a privileged container, even if the Vela administrators did not intend to allow for any privileged plugins, and even if the `vela.yml` configuration file does not use the `privileged = True` flag. Privileged containers permit trivial breakouts, which can pose significant risk to the environment in which Vela is running. #### Default Allowed Repositories On a fresh install of Vela, anyone with a GitHub account (or other enabled source control management solution) is allowed to enable a repository within Vela and run builds. This means that, if a Vela instance is accessible to the pu...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907