Red Hat 9062 Published by

A migration toolkit for containers (MTC) 1.7.2 security and bug fix update has been released.



RHSA-2022:5483-01: Moderate: Migration Toolkit for Containers (MTC) 1.7.2 security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Migration Toolkit for Containers (MTC) 1.7.2 security and bug fix update
Advisory ID: RHSA-2022:5483-01
Product: Red Hat Migration Toolkit
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:5483
Issue date: 2022-07-01
CVE Names: CVE-2018-25032 CVE-2020-0404 CVE-2020-4788
CVE-2020-13974 CVE-2020-19131 CVE-2020-27820
CVE-2020-35492 CVE-2021-0941 CVE-2021-3612
CVE-2021-3634 CVE-2021-3669 CVE-2021-3737
CVE-2021-3743 CVE-2021-3744 CVE-2021-3752
CVE-2021-3759 CVE-2021-3764 CVE-2021-3772
CVE-2021-3773 CVE-2021-3807 CVE-2021-4002
CVE-2021-4037 CVE-2021-4083 CVE-2021-4157
CVE-2021-4189 CVE-2021-4197 CVE-2021-4203
CVE-2021-20322 CVE-2021-21781 CVE-2021-26401
CVE-2021-29154 CVE-2021-37159 CVE-2021-41617
CVE-2021-41864 CVE-2021-42739 CVE-2021-43056
CVE-2021-43389 CVE-2021-43976 CVE-2021-44733
CVE-2021-45485 CVE-2021-45486 CVE-2022-0001
CVE-2022-0002 CVE-2022-0235 CVE-2022-0286
CVE-2022-0322 CVE-2022-0536 CVE-2022-1011
CVE-2022-1154 CVE-2022-1271 CVE-2022-23852
CVE-2022-26691
=====================================================================

1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.2 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es) from Bugzilla:

* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching
ANSI escape codes (CVE-2021-3807)

* node-fetch: exposure of sensitive information to an unauthorized actor
(CVE-2022-0235)

* follow-redirects: Exposure of Sensitive Information via Authorization
Header leak (CVE-2022-0536)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

For details on how to install and use MTC, refer to:

  https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (  https://bugzilla.redhat.com/):

2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
2038898 - [UI] ?Update Repository? option not getting disabled after adding the Replication Repository details to the MTC web console
2040693 - ?Replication repository? wizard has no validation for name length
2040695 - [MTC UI] ?Add Cluster? wizard stucks when the cluster name length is more than 63 characters
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2048537 - Exposed route host to image registry? connecting successfully to invalid registry ?xyz.com?
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
2055658 - [MTC UI] Cancel button on ?Migrations? page does not disappear when migration gets Failed/Succeeded with warnings
2056962 - [MTC UI] UI shows the wrong migration type info after changing the target namespace
2058172 - [MTC UI] Successful Rollback is not showing the green success icon in the ?Last State? field.
2058529 - [MTC UI] Migrations Plan is missing the type for the state migration performed before upgrade
2061335 - [MTC UI] ?Update cluster? button is not getting disabled
2062266 - MTC UI does not display logs properly [OADP-BL]
2062862 - [MTC UI] Clusters page behaving unexpectedly on deleting the remote cluster?s service account secret from backend
2074675 - HPAs of DeploymentConfigs are not being updated when migration from Openshift 3.x to Openshift 4.x
2076593 - Velero pod log missing from UI drop down
2076599 - Velero pod log missing from downloaded logs folder [OADP-BL]
2078459 - [MTC UI] Storageclass conversion plan is adding migstorage reference in migplan
2079252 - [MTC] Rsync options logs not visible in log-reader pod
2082221 - Don't allow Storage class conversion migration if source cluster has only one storage class defined [UI]
2082225 - non-numeric user when launching stage pods [OADP-BL]
2088022 - Default CPU requests on Velero/Restic are too demanding making scheduling fail in certain environments
2088026 - Cloud propagation phase in migration controller is not doing anything due to missing labels on Velero pods
2089126 - [MTC] Migration controller cannot find Velero Pod because of wrong labels
2089411 - [MTC] Log reader pod is missing velero and restic pod logs [OADP-BL]
2089859 - [Crane] DPA CR is missing the required flag - Migration is getting failed at the EnsureCloudSecretPropagated phase due to the missing secret VolumeMounts
2090317 - [MTC] mig-operator failed to create a DPA CR due to null values are passed instead of int [OADP-BL]
2096939 - Fix legacy operator.yml inconsistencies and errors
2100486 - [MTC UI] Target storage class field is not getting respected when clusters don't have replication repo configured.

5. References:

  https://access.redhat.com/security/cve/CVE-2018-25032
  https://access.redhat.com/security/cve/CVE-2020-0404
  https://access.redhat.com/security/cve/CVE-2020-4788
  https://access.redhat.com/security/cve/CVE-2020-13974
  https://access.redhat.com/security/cve/CVE-2020-19131
  https://access.redhat.com/security/cve/CVE-2020-27820
  https://access.redhat.com/security/cve/CVE-2020-35492
  https://access.redhat.com/security/cve/CVE-2021-0941
  https://access.redhat.com/security/cve/CVE-2021-3612
  https://access.redhat.com/security/cve/CVE-2021-3634
  https://access.redhat.com/security/cve/CVE-2021-3669
  https://access.redhat.com/security/cve/CVE-2021-3737
  https://access.redhat.com/security/cve/CVE-2021-3743
  https://access.redhat.com/security/cve/CVE-2021-3744
  https://access.redhat.com/security/cve/CVE-2021-3752
  https://access.redhat.com/security/cve/CVE-2021-3759
  https://access.redhat.com/security/cve/CVE-2021-3764
  https://access.redhat.com/security/cve/CVE-2021-3772
  https://access.redhat.com/security/cve/CVE-2021-3773
  https://access.redhat.com/security/cve/CVE-2021-3807
  https://access.redhat.com/security/cve/CVE-2021-4002
  https://access.redhat.com/security/cve/CVE-2021-4037
  https://access.redhat.com/security/cve/CVE-2021-4083
  https://access.redhat.com/security/cve/CVE-2021-4157
  https://access.redhat.com/security/cve/CVE-2021-4189
  https://access.redhat.com/security/cve/CVE-2021-4197
  https://access.redhat.com/security/cve/CVE-2021-4203
  https://access.redhat.com/security/cve/CVE-2021-20322
  https://access.redhat.com/security/cve/CVE-2021-21781
  https://access.redhat.com/security/cve/CVE-2021-26401
  https://access.redhat.com/security/cve/CVE-2021-29154
  https://access.redhat.com/security/cve/CVE-2021-37159
  https://access.redhat.com/security/cve/CVE-2021-41617
  https://access.redhat.com/security/cve/CVE-2021-41864
  https://access.redhat.com/security/cve/CVE-2021-42739
  https://access.redhat.com/security/cve/CVE-2021-43056
  https://access.redhat.com/security/cve/CVE-2021-43389
  https://access.redhat.com/security/cve/CVE-2021-43976
  https://access.redhat.com/security/cve/CVE-2021-44733
  https://access.redhat.com/security/cve/CVE-2021-45485
  https://access.redhat.com/security/cve/CVE-2021-45486
  https://access.redhat.com/security/cve/CVE-2022-0001
  https://access.redhat.com/security/cve/CVE-2022-0002
  https://access.redhat.com/security/cve/CVE-2022-0235
  https://access.redhat.com/security/cve/CVE-2022-0286
  https://access.redhat.com/security/cve/CVE-2022-0322
  https://access.redhat.com/security/cve/CVE-2022-0536
  https://access.redhat.com/security/cve/CVE-2022-1011
  https://access.redhat.com/security/cve/CVE-2022-1154
  https://access.redhat.com/security/cve/CVE-2022-1271
  https://access.redhat.com/security/cve/CVE-2022-23852
  https://access.redhat.com/security/cve/CVE-2022-26691
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.