So many security bugs are, when you get right down to it, embarrassingly bad. One of the newest is Helm’s CVE-2021-32690. Helm, as all Kubernetes users know, is Kubernetes’ package manager. While working on the Helm source, a Helm core maintainer discovered — whoops! — that you could all too easily set up a situation where the username and password credentials associated with one Helm repository could be passed on to another domain. Ow.
As a refresher, you can think of Helm as just Kubernetes’ take on Linux’s yum or apt programs. True, Helm’s charts, somewhat like Linux’s RPM and DEB packages, collect all your versioned, pre-configured program resources into a deployable YAML package. And, like those Linux packages, you need to be careful what you place in them lest things go badly wrong.
So it was when a Helm core maintainer found while working on the Helm source, that there are situations where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. Say it with me, “Whoops!”
Specifically, a Helm chart repository includes an index.yaml that can contain a reference where to get the chart archive for each version of a chart. The reference can be relative to the index.yaml file or a URL to location. The URL can point to any domain and this is a feature leveraged by Helm users. If I’ve seen this technique used once, I’ve seen it used a hundred times.
So, for example, your index.yaml file can be hosted on GitHub pages while the chart archives are hosted as GitHub releases. These are on different domain names and the index.yaml file points to the other domain. So far, so normal.
But, and it’s a big but, when a username and password were associated with a Helm repository the username and password are also passed on to other domains referenced in the index.yaml file. This occurs when Helm went to retrieve a specific chart archive on the other domain.
Adding insult and injury, your username and password were passed to the URL location of the Helm repository by default. The username and password are scoped to the scheme, host, and port of the Helm repository. In short, your information gets around.
This bug is in all versions of Helm from day one until Helm 3.6. It’s been fixed now in Helm 3.61. Binaries are available for macOS, Linux, and Windows platforms.
Of course, you may need to have your username and password to access a Helm chart. You can still pass the username and password to other domains by using the new –pass-credentials flag. This flag restores the old behavior for a single repository as an opt-in behavior.
As a workaround, if you have used a username and password for a Helm repository you can audit the Helm repository to check to see if another domain could have received the credentials. To do this look in the repository’s index.yaml file for other domains in the URLs list. If there is another domain found and that chart version was pulled or installed, congratulations, the owner of that domain could have accessed your credentials. Let’s hope they didn’t and upgrade as soon as possible to Helm 3.61 to make sure you never have to worry about this again.