Important: Red Hat OpenShift Pipelines Operator security update

Topic

An update is now available for OpenShift-Pipelines-1.11-RHEL-8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Pipelines is a cloud-native continuous integration and delivery (CI/CD) solution for building pipelines using Tekton. Tekton is a flexible, Kubernetes-native, open-source CI/CD framework which enables automating deployments across multiple platforms such as Kubernetes, Serverless, and VMs by abstracting away the underlying details.

Red Hat OpenShift Pipelines consists of:

Tekton Pipelines 0.47.x
Tekton Triggers 0.24.x
ClusterTasks based on Tekton Catalog
Tekton tkn CLI 0.31.x
Tekton Operator 0.67.x
Tekton Chains 0.16.x (GA)
Tekton Hub 1.13.x (TP)
Tekton Result 0.6.0 (TP)
Pipelines-as-Code 0.19.x (GA)

## Features

Standard CI/CD pipelines definition

Build images with Kubernetes tools such as S2I, Buildah, Buildpacks, Kaniko, etc.

Deploy applications to multiple platforms such as Kubernetes, Serverless, and VMs

Easy to extend and integrate with existing tools

Scale pipelines on-demand

Portable across any Kubernetes platform

Designed for microservices and decentralized teams

Integrated with OpenShift Developer Console

Enhance supply chain security with Tekton Chains (Technology Preview)

Install and deploy Tekton Hub (Technology Preview) with custom catalog on enterprise cluster

Maintain pipelines definition as part of application repository with Pipelines-as-Code (PAC) (General Availability)

For more information, see the Release Notes on any one of the following platforms:

Customer Portal: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.13/html/cicd/pipelines#op-release-notes-1-11_op-release-notes

OpenShift documentation: https://docs.openshift.com/container-platform/4.13/cicd/pipelines/op-release-notes.html#op-release-notes-1-11_op-release-notes

Security Fix(es):

• golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
• HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Pipelines 1.11 x86_64
• Red Hat OpenShift Pipelines for IBM Power, little endian 1.11 ppc64le
• Red Hat OpenShift Pipelines for IBM Z and LinuxONE 1.11 s390x
• Red Hat OpenShift Pipelines for ARM 1.11 aarch64

Fixes

• BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
• BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
• SRVKP-3402 - Release OpenShift Pipelines Operator for 1.11.2

CVEs

• CVE-2023-2602
• CVE-2023-2603
• CVE-2023-3341
• CVE-2023-3899
• CVE-2023-4527
• CVE-2023-4806
• CVE-2023-4813
• CVE-2023-4911
• CVE-2023-27536
• CVE-2023-28321
• CVE-2023-28484
• CVE-2023-29469
• CVE-2023-29491
• CVE-2023-30630
• CVE-2023-32681
• CVE-2023-34969
• CVE-2023-39325
• CVE-2023-40217
• CVE-2023-44487

References

• https://access.redhat.com/security/updates/classification/#important
• https://docs.openshift.com/container-platform/4.13/cicd/pipelines/understanding-openshift-pipelines.html
• https://access.redhat.com/security/vulnerabilities/RHSB-2023-003