Red Hat 9062 Published by

A Migration Toolkit for Containers (MTC) 1.5.1 security and bug fix update has been released.



RHSA-2021:3361-01: Moderate: Migration Toolkit for Containers (MTC) 1.5.1 security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Migration Toolkit for Containers (MTC) 1.5.1 security and bug fix update
Advisory ID: RHSA-2021:3361-01
Product: Red Hat Migration Toolkit
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:3361
Issue date: 2021-08-31
CVE Names: CVE-2021-3114 CVE-2021-3121 CVE-2021-3516
CVE-2021-3517 CVE-2021-3518 CVE-2021-3520
CVE-2021-3537 CVE-2021-3541 CVE-2021-3609
CVE-2021-3636 CVE-2021-20271 CVE-2021-21419
CVE-2021-21623 CVE-2021-21639 CVE-2021-21640
CVE-2021-21648 CVE-2021-22543 CVE-2021-22555
CVE-2021-22918 CVE-2021-25735 CVE-2021-25737
CVE-2021-27218 CVE-2021-33195 CVE-2021-33196
CVE-2021-33197 CVE-2021-33198 CVE-2021-34558
=====================================================================

1. Summary:

An update is now available for the Migration Toolkit for Containers (MTC)
1.5.1.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security fixes:

* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)
* golang: archive/zip: malformed archive may cause panic or memory
exhaustion (CVE-2021-33196)
* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)
* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to install and use MTC, refer to:

  https://docs.openshift.com/container-platform/4.8/migration-toolkit-for-con
tainers/installing-mtc.html

4. Bugs fixed (  https://bugzilla.redhat.com/):

1965503 - CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memory exhaustion
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1996125 - When "None" is selected as the target storage class in the web console, the setting is ignored and the default storage class is used

5. References:

  https://access.redhat.com/security/cve/CVE-2021-3114
  https://access.redhat.com/security/cve/CVE-2021-3121
  https://access.redhat.com/security/cve/CVE-2021-3516
  https://access.redhat.com/security/cve/CVE-2021-3517
  https://access.redhat.com/security/cve/CVE-2021-3518
  https://access.redhat.com/security/cve/CVE-2021-3520
  https://access.redhat.com/security/cve/CVE-2021-3537
  https://access.redhat.com/security/cve/CVE-2021-3541
  https://access.redhat.com/security/cve/CVE-2021-3609
  https://access.redhat.com/security/cve/CVE-2021-3636
  https://access.redhat.com/security/cve/CVE-2021-20271
  https://access.redhat.com/security/cve/CVE-2021-21419
  https://access.redhat.com/security/cve/CVE-2021-21623
  https://access.redhat.com/security/cve/CVE-2021-21639
  https://access.redhat.com/security/cve/CVE-2021-21640
  https://access.redhat.com/security/cve/CVE-2021-21648
  https://access.redhat.com/security/cve/CVE-2021-22543
  https://access.redhat.com/security/cve/CVE-2021-22555
  https://access.redhat.com/security/cve/CVE-2021-22918
  https://access.redhat.com/security/cve/CVE-2021-25735
  https://access.redhat.com/security/cve/CVE-2021-25737
  https://access.redhat.com/security/cve/CVE-2021-27218
  https://access.redhat.com/security/cve/CVE-2021-33195
  https://access.redhat.com/security/cve/CVE-2021-33196
  https://access.redhat.com/security/cve/CVE-2021-33197
  https://access.redhat.com/security/cve/CVE-2021-33198
  https://access.redhat.com/security/cve/CVE-2021-34558
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.