Red Hat 9038 Published by

A Migration Toolkit for Containers (MTC) 1.7.3 security and bug fix update has been released.



RHSA-2022:5840-01: Moderate: Migration Toolkit for Containers (MTC) 1.7.3 security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Migration Toolkit for Containers (MTC) 1.7.3 security and bug fix update
Advisory ID: RHSA-2022:5840-01
Product: Red Hat Migration Toolkit
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:5840
Issue date: 2022-08-02
CVE Names: CVE-2018-25032 CVE-2018-1000858 CVE-2019-13050
CVE-2019-17594 CVE-2019-17595 CVE-2019-18218
CVE-2019-20838 CVE-2020-14155 CVE-2020-28915
CVE-2020-29361 CVE-2020-29362 CVE-2020-29363
CVE-2021-36084 CVE-2021-36085 CVE-2021-36086
CVE-2021-36087 CVE-2021-40528 CVE-2021-41617
CVE-2022-0778 CVE-2022-1271 CVE-2022-1365
CVE-2022-1621 CVE-2022-1629 CVE-2022-22576
CVE-2022-24407 CVE-2022-24675 CVE-2022-25313
CVE-2022-25314 CVE-2022-27666 CVE-2022-27774
CVE-2022-27776 CVE-2022-27782 CVE-2022-28327
CVE-2022-29526 CVE-2022-29824
=====================================================================

1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.3 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es):

* cross-fetch: Exposure of Private Personal Information to an Unauthorized
Actor (CVE-2022-1365)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)

* golang: syscall: faccessat checks wrong group (CVE-2022-29526)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Velero and Restic are using incorrect SCCs [OADP-BL] (BZ#2082216)

* [MTC] Migrations gets stuck at StageBackup stage for indirect runs
[OADP-BL] (BZ#2091965)

* MTC: 1.7.1 on OCP 4.6: UI is stuck in "Discovering persistent volumes
attached to source projects" step (BZ#2099856)

* Correct DNS validation for destination namespace (BZ#2102231)

* Deselecting all pvcs from UI still results in an attempted PVC transfer
(BZ#2106073)

3. Solution:

For details on how to install and use MTC, refer to:

  https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (  https://bugzilla.redhat.com/):

2076133 - CVE-2022-1365 cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2082216 - Velero and Restic are using incorrect SCCs [OADP-BL]
2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group
2091965 - [MTC] Migrations gets stuck at StageBackup stage for indirect runs [OADP-BL]
2099856 - MTC: 1.7.1 on OCP 4.6: UI is stuck in "Discovering persistent volumes attached to source projects" step
2102231 - Correct DNS validation for destination namespace
2106073 - Deselecting all pvcs from UI still results in an attempted PVC transfer

5. JIRA issues fixed (  https://issues.jboss.org/):

MIG-1155 - Update to newer ansible runner image for hooks
MIG-1242 - Must set upper bound on OADP dep to prevent jump to 1.1
MIG-1254 - Investigate impact of deprecated Docker V2 Schema 1 for MTC on OCP3.11

6. References:

  https://access.redhat.com/security/cve/CVE-2018-25032
  https://access.redhat.com/security/cve/CVE-2018-1000858
  https://access.redhat.com/security/cve/CVE-2019-13050
  https://access.redhat.com/security/cve/CVE-2019-17594
  https://access.redhat.com/security/cve/CVE-2019-17595
  https://access.redhat.com/security/cve/CVE-2019-18218
  https://access.redhat.com/security/cve/CVE-2019-20838
  https://access.redhat.com/security/cve/CVE-2020-14155
  https://access.redhat.com/security/cve/CVE-2020-28915
  https://access.redhat.com/security/cve/CVE-2020-29361
  https://access.redhat.com/security/cve/CVE-2020-29362
  https://access.redhat.com/security/cve/CVE-2020-29363
  https://access.redhat.com/security/cve/CVE-2021-36084
  https://access.redhat.com/security/cve/CVE-2021-36085
  https://access.redhat.com/security/cve/CVE-2021-36086
  https://access.redhat.com/security/cve/CVE-2021-36087
  https://access.redhat.com/security/cve/CVE-2021-40528
  https://access.redhat.com/security/cve/CVE-2021-41617
  https://access.redhat.com/security/cve/CVE-2022-0778
  https://access.redhat.com/security/cve/CVE-2022-1271
  https://access.redhat.com/security/cve/CVE-2022-1365
  https://access.redhat.com/security/cve/CVE-2022-1621
  https://access.redhat.com/security/cve/CVE-2022-1629
  https://access.redhat.com/security/cve/CVE-2022-22576
  https://access.redhat.com/security/cve/CVE-2022-24407
  https://access.redhat.com/security/cve/CVE-2022-24675
  https://access.redhat.com/security/cve/CVE-2022-25313
  https://access.redhat.com/security/cve/CVE-2022-25314
  https://access.redhat.com/security/cve/CVE-2022-27666
  https://access.redhat.com/security/cve/CVE-2022-27774
  https://access.redhat.com/security/cve/CVE-2022-27776
  https://access.redhat.com/security/cve/CVE-2022-27782
  https://access.redhat.com/security/cve/CVE-2022-28327
  https://access.redhat.com/security/cve/CVE-2022-29526
  https://access.redhat.com/security/cve/CVE-2022-29824
  https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.