Disable HTTP/2 for webhook #7235
Assignees
Labels
kind/security
Categorizes issue or PR as related to a security issue
priority/critical-urgent
Highest priority. Must be actively worked on as someone's top priority right now.
Comments
tekton-robot
added
the
kind/security
vdemeester
added
the
priority/critical-urgent
|
@tektoncd/core-maintainers what do we do around GHSA-qppj-fm5r-hxr3 ? As linked by @khrm in kubernetes/kubernetes#121197 most project seems to disable |
|
Disabling HTTP2 sounds fine though do we know to what extent do we think our webhooks are impacted? Our webhooks are internal only right i.e. its the API server that is sending requests vs an untrusted user. So, ensuring the API server has mitigated this attack is critical |
|
@khrm @vdemeester is this still a critical/urgent? |
|
From @khrm - this fix comes from knative, we should update our dependency when it is fixed |
7 tasks
|
/assign @khrm |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We need to disable HTTP/2 for webhooks.
"
The go runtime does have a fix to mitigate the CVE-2023-44487 to a degree, but as kubernetes/kubernetes#121197 shows, a single connection attempting to perform a denial-of-service attack against a go-based HTTP/2 server resulted in the server process quickly consuming 5 GB of memory. Additional connections would likely result in an OOM situation very quickly.
"
Please check this: kubernetes/kubernetes#121197
/kind security
The text was updated successfully, but these errors were encountered: