- Issued:
- 2023-12-07
- Updated:
- 2023-12-07
RHSA-2023:7703 - Security Advisory
Synopsis
Important: Red Hat OpenShift Pipelines 1.10.6 release and security update
Type/Severity
Security Advisory: Important
Topic
Red Hat OpenShift Pipelines 1.10.6 has been released.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Pipelines is a cloud-native continuous integration and delivery (CI/CD) solution for building pipelines using Tekton. Tekton is a flexible, Kubernetes-native, open-source CI/CD framework which enables automating deployments across multiple platforms such as Kubernetes, Serverless, and VMs by abstracting away the underlying details.
Security Fix(es):
- golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
- HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat OpenShift Pipelines consists of:
- Tekton Pipelines 0.44.x
- Tekton Triggers 0.23.x
- ClusterTasks based on Tekton Catalog
- Tekton tkn CLI 0.30.x
- Tekton Operator 0.65.x
- Tekton Chains 0.15.x (GA)
- Tekton Hub 1.12.x (TP)
- Pipelines-as-Code 0.17.x (GA)
For more information, see the Release Notes on any one of the following platforms:
- Customer Portal: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.13/html/cicd/pipelines#op-release-notes-1-12_op-release-notes
- OpenShift documentation: https://docs.openshift.com/container-platform/4.13/cicd/pipelines/op-release-notes.html#op-release-notes-1-12_op-release-notes
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat OpenShift Pipelines 1.10 x86_64
- Red Hat OpenShift Pipelines for IBM Power, little endian 1.10 ppc64le
- Red Hat OpenShift Pipelines for IBM Z and LinuxONE 1.10 s390x
- Red Hat OpenShift Pipelines for ARM 1.10 aarch64
Fixes
- BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
- BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
- SRVKP-3609 - Release OpenShift Pipelines Operator for Pipelines 1.10.6
CVEs
- CVE-2007-4559
- CVE-2022-3094
- CVE-2022-48337
- CVE-2022-48339
- CVE-2022-48468
- CVE-2023-2602
- CVE-2023-2603
- CVE-2023-3341
- CVE-2023-3899
- CVE-2023-4016
- CVE-2023-4527
- CVE-2023-4641
- CVE-2023-4806
- CVE-2023-4813
- CVE-2023-4911
- CVE-2023-22745
- CVE-2023-27536
- CVE-2023-28321
- CVE-2023-28484
- CVE-2023-29469
- CVE-2023-29491
- CVE-2023-30630
- CVE-2023-31486
- CVE-2023-32681
- CVE-2023-33460
- CVE-2023-34969
- CVE-2023-38408
- CVE-2023-39325
- CVE-2023-40217
- CVE-2023-44487
aarch64
openshift-pipelines/pipelines-chains-controller-rhel8@sha256:c920fe3b1db3381209799acf54d5c5d3c195376984584a34a6b5944619285a39 |
openshift-pipelines/pipelines-cli-tkn-rhel8@sha256:f106128a15deb5d68bd5a4507bb4ff6c05fd7dc821f14bdc5c83715bc73afbd8 |
openshift-pipelines/pipelines-controller-rhel8@sha256:856412ba225b33f533cb1646870b675132171a75df6c28af6145a9b5ed61aafd |
openshift-pipelines/pipelines-entrypoint-rhel8@sha256:a19d7afc74a0e21840c1a03c1ae8686581633f9784d89e9a70867b3145b679c4 |
openshift-pipelines/pipelines-git-init-rhel8@sha256:d6cf30ecc2c869a290b2019c762ce7d7de4877f02e453bb144cca7a5f520bff6 |
openshift-pipelines/pipelines-hub-api-rhel8@sha256:578c3b66cb78953b4641676d2babbfa19093abf35ee4f859089b8f8ef6f1bb5a |
openshift-pipelines/pipelines-hub-db-migration-rhel8@sha256:d264311d80337877f78627a32ef53dd1ca1552ddf4aae5fda7cd778869a1f243 |
openshift-pipelines/pipelines-hub-ui-rhel8@sha256:3eec1bd36cf637f8ee5ebf1e289c1d266530e6ba93d04ef84c2a353f02d585cb |
openshift-pipelines/pipelines-imagedigestexporter-rhel8@sha256:da79872952ce65a41fe95703c0c17b3d449459e4f3494ac3dd091897a475b806 |
openshift-pipelines/pipelines-nop-rhel8@sha256:932687833e7bb1c21a7df29a274687f2db03cf27ea6a311bbc3f95cf5a7f697d |
openshift-pipelines/pipelines-operator-bundle@sha256:f14d657f491559f8cdde6302a1038443f0eeef5be991eebf90fa3ee265b1f013 |
openshift-pipelines/pipelines-operator-proxy-rhel8@sha256:fb717a9776f71a59df3590ea1ecfe928865c1d30dde524d971e59cc8c7c977b9 |
openshift-pipelines/pipelines-operator-webhook-rhel8@sha256:16bc12aed36ce1fcffd3dda752447ffc5379d4c41bc49b7b3d4f0abf3d75d4f8 |
openshift-pipelines/pipelines-pipelines-as-code-rhel8@sha256:fd8b59349e6feba8a962374e353d2700ada85151ca8997210e940d8cc8b802e8 |
openshift-pipelines/pipelines-pullrequest-init-rhel8@sha256:14b1969dd0d0e7edd8545b493234b86973bd4c5a05bd54c41655a6ff82cb51e5 |
openshift-pipelines/pipelines-resolvers-rhel8@sha256:8687521d1b928294efd837619035b690683439db7b49545b4fd95dd61887f6e7 |
openshift-pipelines/pipelines-rhel8-operator@sha256:cf4f19f4fc59790e85fced0b80835d8c9cb9ed401ba7a8dcbce4de4c443932db |
openshift-pipelines/pipelines-serve-tkn-cli-rhel8@sha256:2e65ac415dee831b07c1125e459a49e7517148372bb7a0a92558d3110446e842 |
openshift-pipelines/pipelines-triggers-controller-rhel8@sha256:e7af42c1db2a7e7b3bef6610b2b02205a8502639f1c074853f7722360701cb04 |
openshift-pipelines/pipelines-triggers-core-interceptors-rhel8@sha256:eeef43bd829c9e8289edb8b4aafebca84af1c83eefeef708e32450496eda8f1c |
openshift-pipelines/pipelines-triggers-eventlistenersink-rhel8@sha256:f81c6f2994bffc90145957e8dbaee9ea774470b3eb6a6bc009ca0268c00fccab |
openshift-pipelines/pipelines-triggers-webhook-rhel8@sha256:c429aa35e1c959c3f380bb6c4bbec89a61f91401818acb70c3315cd8d8eff837 |
openshift-pipelines/pipelines-webhook-rhel8@sha256:48936c2bf077136bb6f7104ce83f57d28ff790d75895e8957293b98b35f4b5c5 |
openshift-pipelines/pipelines-workingdirinit-rhel8@sha256:f0382454804d0d8bf715628c9fc1fb8b7f37d2e988f5a63431bb6a4bf64d68e6 |
ppc64le
openshift-pipelines/pipelines-chains-controller-rhel8@sha256:55e9c7b4b20b7fb149b72b8cc5651f5fe935bd9f25c9694bce380d356a860b1a |
openshift-pipelines/pipelines-cli-tkn-rhel8@sha256:382c0866f55be9faa809433525c08c285869d906f2a929be564e0ed9bbaeb35c |
openshift-pipelines/pipelines-controller-rhel8@sha256:a007e4edd1aa4135ff28b6eace7063a6ff6d1a367aa8ba53a4813ed44e21f0c0 |
openshift-pipelines/pipelines-entrypoint-rhel8@sha256:4f7fef7e1240e672915acf2d58ff5bf8d2ed746c5c225d1b25f930aeb92c4e98 |
openshift-pipelines/pipelines-git-init-rhel8@sha256:fcf71347e6d3517a41ffbf30f3cdc2c71e6dc43bf75527abe37d8aa2c8951326 |
openshift-pipelines/pipelines-hub-api-rhel8@sha256:32e6f78a626f347bc7682ff40c3266fdeaef79b29016331514c845fa7c073734 |
openshift-pipelines/pipelines-hub-db-migration-rhel8@sha256:6084668102f3a6fad342a031b6ca0e3f32efa45f818603be804e9186846523f3 |
openshift-pipelines/pipelines-hub-ui-rhel8@sha256:a1d79c2cfe85c10307e87d9fc6114b14d64dbd397dc6724a207cfd58008af099 |
openshift-pipelines/pipelines-imagedigestexporter-rhel8@sha256:62dd3ff5c645aeea77063cf13300bbaf974152cca25053574d67693bd892c73e |
openshift-pipelines/pipelines-nop-rhel8@sha256:38282b16054f6ab0c3c0f5afdb7d5a9ab779a6fbfba0f5be6a0e0528698eb1aa |
openshift-pipelines/pipelines-operator-bundle@sha256:e1484a20c2939170a3d54bc4515165d56c03f9065472c8e5facb9b3a319f95ca |
openshift-pipelines/pipelines-operator-proxy-rhel8@sha256:90653c78f4ec0e29ab3614152866114330503b322b641ce929dd237fa77eeef2 |
openshift-pipelines/pipelines-operator-webhook-rhel8@sha256:e6a2aa4b8cd6e27c0d11eb07415ae2b1377bee0e4614857b35b9fcbce004d1ba |
openshift-pipelines/pipelines-pipelines-as-code-rhel8@sha256:737c260d6fc6ee1d05d8d0a337b562af18dc3d8152210efb1826f30a08c26ef7 |
openshift-pipelines/pipelines-pullrequest-init-rhel8@sha256:bcc488aa0e38847d242bd1bce52a3866d1c350b763f348be9d38c2fe7a503a4e |
openshift-pipelines/pipelines-resolvers-rhel8@sha256:f2be4fdec8a3cd4312336f3fbc717d1b59c5971f3e4974661b0d65c4d82031b7 |
openshift-pipelines/pipelines-rhel8-operator@sha256:9ff683f9a3a7b169db29597334eaea9ae3c3b5646481daa13b0da6ec7c39d0a8 |
openshift-pipelines/pipelines-serve-tkn-cli-rhel8@sha256:aa8b9579b22f44eaeabe62cb1471b64af6baecee84ca5bb09e39ebae4149a209 |
openshift-pipelines/pipelines-triggers-controller-rhel8@sha256:8ae0eacf692f8881a3d1c5e6793df6028723463c65fb968808753ba83aa1b1c9 |
openshift-pipelines/pipelines-triggers-core-interceptors-rhel8@sha256:363ae54fa4744229a40469ce9c6e17e63cd01d1a3e8c14754bf26c6b84bacfe3 |
openshift-pipelines/pipelines-triggers-eventlistenersink-rhel8@sha256:9fea6b3f40a4d619b39326d7a87267b16154594364ffca798639e510b3ee085b |
openshift-pipelines/pipelines-triggers-webhook-rhel8@sha256:b23b613e53f8d82f808a56636a23f9311077862291bb6d37eec46a01c71522ca |
openshift-pipelines/pipelines-webhook-rhel8@sha256:09fa06f68c4fc6f5afe51f9a042a1d10b9b14667e053f216dfc9854d7275c53a |
openshift-pipelines/pipelines-workingdirinit-rhel8@sha256:777a123f188ad0d4238de4aa21863a3019023b151fc12ec8488af1a68a20c0ae |
s390x
openshift-pipelines/pipelines-chains-controller-rhel8@sha256:85fdb3c014f3dfee1023cac40da2afa86bd67a550df26e67ac0e261ad4542bfb |
openshift-pipelines/pipelines-cli-tkn-rhel8@sha256:70071155cf42e2684aee45050bdb853ea945706b09a3d4252fb6d372a66925c7 |
openshift-pipelines/pipelines-controller-rhel8@sha256:876abbb7217bdfccd53d47b71facb05113238dd416bd2736290a1d7dcf1f4f07 |
openshift-pipelines/pipelines-entrypoint-rhel8@sha256:f52bbf4f3a978b0a6ae7bc3c5eb0634d4ee33b5daf3a4f3fa9db1b55e6afccc1 |
openshift-pipelines/pipelines-git-init-rhel8@sha256:f8c3e9e84b3bbd5e10edba8f6cc8868c740bcbca47c0e7f9d650b84fd69e8f4d |
openshift-pipelines/pipelines-hub-api-rhel8@sha256:da2e577dab4fbe30a9242972970a3f1ea52ccd44480a2205a5e4f033a9728017 |
openshift-pipelines/pipelines-hub-db-migration-rhel8@sha256:904ae8a15cbda8df133632b9a9d34947dad541a64c3a6e64c2b5442f8c250a3b |
openshift-pipelines/pipelines-hub-ui-rhel8@sha256:0892a6539d28ebcbb8c5b576105f3b16f42c966062400fd74ca8e9112ee889f3 |
openshift-pipelines/pipelines-imagedigestexporter-rhel8@sha256:ff40308749c5e5c25ec78bedd7558f76877452fffd65821c4322817bb97348e5 |
openshift-pipelines/pipelines-nop-rhel8@sha256:daa499a8fbe2c5cc660357f7908e79a37c648f56154367fe310294db0b0c6b6a |
openshift-pipelines/pipelines-operator-bundle@sha256:76fbd4c7501cd4696e88b0fa80e60813f7c7a60760a343efb05299ac7956eb9e |
openshift-pipelines/pipelines-operator-proxy-rhel8@sha256:59862d67aa029bf68685180f9f03099b0a1c2a9961087f896792ff97ffe6bb50 |
openshift-pipelines/pipelines-operator-webhook-rhel8@sha256:6a6757e3882d938cb72caf0d277c8c5c0c4683a601935d6471dd65524d502669 |
openshift-pipelines/pipelines-pipelines-as-code-rhel8@sha256:f962ee49d3a2aaa95974c0a06874847f9a71040e4c7dcc87f7e6498e7c44877a |
openshift-pipelines/pipelines-pullrequest-init-rhel8@sha256:98dca73702fe81d5a3f3fb7a30e6e2b9a1cb434b10bfb7262a8cd71f1b32e018 |
openshift-pipelines/pipelines-resolvers-rhel8@sha256:f92b1ad9e75b09ec036401c71291d9e40bcf61a70b236eb5123deed3ce26de61 |
openshift-pipelines/pipelines-rhel8-operator@sha256:9e72538e01a8722963c6d5bdfc2af474ab8fdfef40e93c4f32b1a10c4c57873a |
openshift-pipelines/pipelines-serve-tkn-cli-rhel8@sha256:c730684888c6eb266ec20d62be225dc78e1a8c39ffbe9d52550833a18238ae49 |
openshift-pipelines/pipelines-triggers-controller-rhel8@sha256:14e6cc8f4bc46d166eab00365f02a9464e5532ca74242c3342aa1fbc20f7679d |
openshift-pipelines/pipelines-triggers-core-interceptors-rhel8@sha256:25a96822f25302b26c4d25f7bb263a4f6abbd63e741ec862afcd88f9e6794b7b |
openshift-pipelines/pipelines-triggers-eventlistenersink-rhel8@sha256:fc7b79ab0282dc422016a29fb6b333984dc71d65aa52b89c3e697336b8f07414 |
openshift-pipelines/pipelines-triggers-webhook-rhel8@sha256:f74bcff3e4733fb29f3adbae9c3f4a52d4c590434bcf37fc38a345b801c1b742 |
openshift-pipelines/pipelines-webhook-rhel8@sha256:edede9e2aee487fee06ddce319dadeca24d41e2ab4184f4f3c7bfb863980c002 |
openshift-pipelines/pipelines-workingdirinit-rhel8@sha256:0cf00e26e7cfbf51c59d646a62e1db28040efd19721c1e53aa0204fd1a352d71 |
x86_64
openshift-pipelines/pipelines-chains-controller-rhel8@sha256:8fefa9f58b08005d8f9f11c722d220062766ee08f96d45151909adb09abda056 |
openshift-pipelines/pipelines-cli-tkn-rhel8@sha256:83fb2abbada2977e28f0f602d71adb8c34cd4f62bb7cc7a39a50e5aa2de281e9 |
openshift-pipelines/pipelines-controller-rhel8@sha256:c4691035533a5a74ae233b9efe85f69217495ca263fa7fd89f31a83461bf83e3 |
openshift-pipelines/pipelines-entrypoint-rhel8@sha256:6bc699cf9fc045ab8387667510964b18265f8530d7662312310449c95ded5995 |
openshift-pipelines/pipelines-git-init-rhel8@sha256:2c6590ba54942fdc3e2aae7d7ec7e53c4057ed464f996c8fe80fe742a6313349 |
openshift-pipelines/pipelines-hub-api-rhel8@sha256:6f37fa6c5dd5723fa6d1916adb34cb16a5851cf89b09eb176d1140b09f61a67a |
openshift-pipelines/pipelines-hub-db-migration-rhel8@sha256:bb8dd2af0b4c223878522730f8b42e944f73226c114b2c4779401ff40c45e56b |
openshift-pipelines/pipelines-hub-ui-rhel8@sha256:6d56c337ab5357a40896a131587d77cde3779cde6c23127c310c8d350319ae90 |
openshift-pipelines/pipelines-imagedigestexporter-rhel8@sha256:5d0758790413ab1a3076d5f4b74756bfd18c9b6fed9e4583a901f084db0223b5 |
openshift-pipelines/pipelines-nop-rhel8@sha256:5c675c21bda4bdc3b66e019852e9661877e8e9de414238cca1a9dab34052b179 |
openshift-pipelines/pipelines-operator-bundle@sha256:85609b8fa33bba3cc9837f0746833dffa2fabde4fd60a455b1b0820aedb4d934 |
openshift-pipelines/pipelines-operator-proxy-rhel8@sha256:63c98fc0433535be839093fd0f3800500f84069229dcb33d0eab11a5a53dce2b |
openshift-pipelines/pipelines-operator-webhook-rhel8@sha256:70cef1d8f41e090a73430ccae1ed5727130143b64820d7c6cc8766defa701220 |
openshift-pipelines/pipelines-pipelines-as-code-rhel8@sha256:89bfa9ae23435800e7a7f86df4543bf697f5568b14184768abcb732e739bf62a |
openshift-pipelines/pipelines-pullrequest-init-rhel8@sha256:58dce7ba18c9073a26e3cfad6130879beacb63ef27f39a378b06c54784fa77ee |
openshift-pipelines/pipelines-resolvers-rhel8@sha256:cd411b5a09e6219463fc4ef22d13a3ce803385b0cddc7d25953087be5e16b56c |
openshift-pipelines/pipelines-rhel8-operator@sha256:d9cc7166cb6805307b4d818520f6c768af426d3814d48c67d936f547b5928a6f |
openshift-pipelines/pipelines-serve-tkn-cli-rhel8@sha256:4bd6a48c572143c10172a33d8c58266b21a7168828ba5a78843042fb1c78a830 |
openshift-pipelines/pipelines-triggers-controller-rhel8@sha256:2443da3606408b2f89bdf4ea17af1a52d0070d764a07af7d720c18f8b771c75c |
openshift-pipelines/pipelines-triggers-core-interceptors-rhel8@sha256:45668ccaf02920d898019bfdd671ae93785c637843641e42f1c115afb2891db7 |
openshift-pipelines/pipelines-triggers-eventlistenersink-rhel8@sha256:1c2455c3e79665214a601e0df8b8e56643a86488a9147c765495b581ef0a1568 |
openshift-pipelines/pipelines-triggers-webhook-rhel8@sha256:90bb7af15a048dc52263b4ebaa0c3dd780379d4d4ede2018469c872eedc419cb |
openshift-pipelines/pipelines-webhook-rhel8@sha256:3fe09e674d486c03c73378e596355852ce1b10deb316db53bf5199c82e6e52f4 |
openshift-pipelines/pipelines-workingdirinit-rhel8@sha256:cc2f154bc5708f82e69234ad26232bd4f42df9092f45663317c2a4b3cd77c272 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.