Issued:
2023-11-08
Updated:
2023-11-08

RHSA-2023:6779 - Important: Red Hat OpenShift Pipelines Operator security update

Synopsis

Important: Red Hat OpenShift Pipelines Operator security update

Type/Severity

Security Advisory Important

Topic

An update is now available for OpenShift-Pipelines-1.11-RHEL-8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Pipelines is a cloud-native continuous integration and delivery (CI/CD) solution for building pipelines using Tekton. Tekton is a flexible, Kubernetes-native, open-source CI/CD framework which enables automating deployments across multiple platforms such as Kubernetes, Serverless, and VMs by abstracting away the underlying details.

Red Hat OpenShift Pipelines consists of:

Tekton Pipelines 0.47.x Tekton Triggers 0.24.x ClusterTasks based on Tekton Catalog Tekton tkn CLI 0.31.x Tekton Operator 0.67.x Tekton Chains 0.16.x (GA) Tekton Hub 1.13.x (TP) Tekton Result 0.6.0 (TP) Pipelines-as-Code 0.19.x (GA)

Features

Standard CI/CD pipelines definition

Build images with Kubernetes tools such as S2I, Buildah, Buildpacks, Kaniko, etc.

Deploy applications to multiple platforms such as Kubernetes, Serverless, and VMs

Easy to extend and integrate with existing tools

Scale pipelines on-demand

Portable across any Kubernetes platform

Designed for microservices and decentralized teams

Integrated with OpenShift Developer Console

Enhance supply chain security with Tekton Chains (Technology Preview)

Install and deploy Tekton Hub (Technology Preview) with custom catalog on enterprise cluster

Maintain pipelines definition as part of application repository with Pipelines-as-Code (PAC) (General Availability)

For more information, see the Release Notes on any one of the following platforms:

Customer Portal: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.13/html/cicd/pipelines#op-release-notes-1-11_op-release-notes

OpenShift documentation: https://docs.openshift.com/container-platform/4.13/cicd/pipelines/op-release-notes.html#op-release-notes-1-11_op-release-notes

Security Fix(es):

  • golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

  • HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

ProductVersionArch
Red Hat OpenShift Pipelines1.11x86_64
Red Hat OpenShift Pipelines for IBM Z and LinuxONE1.11s390x
Red Hat OpenShift Pipelines for IBM Power, little endian1.11ppc64le
Red Hat OpenShift Pipelines for ARM1.11aarch64

Fixes

CVEs

References

Additional information