Red Hat 9038 Published by

A Migration Toolkit for Containers (MTC) 1.7.4 security and bug fix update has been released.



RHSA-2022:6429-01: Important: Migration Toolkit for Containers (MTC) 1.7.4 security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Important: Migration Toolkit for Containers (MTC) 1.7.4 security and bug fix update
Advisory ID: RHSA-2022:6429-01
Product: Red Hat Migration Toolkit
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:6429
Issue date: 2022-09-13
CVE Names: CVE-2018-25032 CVE-2019-5827 CVE-2019-13750
CVE-2019-13751 CVE-2019-17594 CVE-2019-17595
CVE-2019-18218 CVE-2019-19603 CVE-2019-20838
CVE-2020-8559 CVE-2020-13435 CVE-2020-14155
CVE-2020-15586 CVE-2020-16845 CVE-2020-24370
CVE-2020-28493 CVE-2020-28500 CVE-2021-3580
CVE-2021-3634 CVE-2021-3737 CVE-2021-4189
CVE-2021-20095 CVE-2021-20231 CVE-2021-20232
CVE-2021-23177 CVE-2021-23337 CVE-2021-25219
CVE-2021-31566 CVE-2021-36084 CVE-2021-36085
CVE-2021-36086 CVE-2021-36087 CVE-2021-40528
CVE-2021-42771 CVE-2022-0512 CVE-2022-0639
CVE-2022-0686 CVE-2022-0691 CVE-2022-1271
CVE-2022-1292 CVE-2022-1586 CVE-2022-1650
CVE-2022-1785 CVE-2022-1897 CVE-2022-1927
CVE-2022-2068 CVE-2022-2097 CVE-2022-2526
CVE-2022-24407 CVE-2022-25313 CVE-2022-25314
CVE-2022-29154 CVE-2022-29824 CVE-2022-30629
CVE-2022-30631 CVE-2022-32206 CVE-2022-32208
=====================================================================

1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.4 is now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es):

* nodejs-url-parse: authorization bypass through user-controlled key
(CVE-2022-0512)

* npm-url-parse: Authorization bypass through user-controlled key
(CVE-2022-0686)

* npm-url-parse: authorization bypass through user-controlled key
(CVE-2022-0691)

* eventsource: Exposure of Sensitive Information (CVE-2022-1650)

* nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
(CVE-2020-28500)

* nodejs-lodash: command injection via template (CVE-2021-23337)

* npm-url-parse: Authorization Bypass Through User-Controlled Key
(CVE-2022-0639)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to install and use MTC, refer to:

  https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (  https://bugzilla.redhat.com/):

1928937 - CVE-2021-23337 nodejs-lodash: command injection via template
1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
2054663 - CVE-2022-0512 nodejs-url-parse: authorization bypass through user-controlled key
2057442 - CVE-2022-0639 npm-url-parse: Authorization Bypass Through User-Controlled Key
2060018 - CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key
2060020 - CVE-2022-0691 npm-url-parse: authorization bypass through user-controlled key
2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. References:

  https://access.redhat.com/security/cve/CVE-2018-25032
  https://access.redhat.com/security/cve/CVE-2019-5827
  https://access.redhat.com/security/cve/CVE-2019-13750
  https://access.redhat.com/security/cve/CVE-2019-13751
  https://access.redhat.com/security/cve/CVE-2019-17594
  https://access.redhat.com/security/cve/CVE-2019-17595
  https://access.redhat.com/security/cve/CVE-2019-18218
  https://access.redhat.com/security/cve/CVE-2019-19603
  https://access.redhat.com/security/cve/CVE-2019-20838
  https://access.redhat.com/security/cve/CVE-2020-8559
  https://access.redhat.com/security/cve/CVE-2020-13435
  https://access.redhat.com/security/cve/CVE-2020-14155
  https://access.redhat.com/security/cve/CVE-2020-15586
  https://access.redhat.com/security/cve/CVE-2020-16845
  https://access.redhat.com/security/cve/CVE-2020-24370
  https://access.redhat.com/security/cve/CVE-2020-28493
  https://access.redhat.com/security/cve/CVE-2020-28500
  https://access.redhat.com/security/cve/CVE-2021-3580
  https://access.redhat.com/security/cve/CVE-2021-3634
  https://access.redhat.com/security/cve/CVE-2021-3737
  https://access.redhat.com/security/cve/CVE-2021-4189
  https://access.redhat.com/security/cve/CVE-2021-20095
  https://access.redhat.com/security/cve/CVE-2021-20231
  https://access.redhat.com/security/cve/CVE-2021-20232
  https://access.redhat.com/security/cve/CVE-2021-23177
  https://access.redhat.com/security/cve/CVE-2021-23337
  https://access.redhat.com/security/cve/CVE-2021-25219
  https://access.redhat.com/security/cve/CVE-2021-31566
  https://access.redhat.com/security/cve/CVE-2021-36084
  https://access.redhat.com/security/cve/CVE-2021-36085
  https://access.redhat.com/security/cve/CVE-2021-36086
  https://access.redhat.com/security/cve/CVE-2021-36087
  https://access.redhat.com/security/cve/CVE-2021-40528
  https://access.redhat.com/security/cve/CVE-2021-42771
  https://access.redhat.com/security/cve/CVE-2022-0512
  https://access.redhat.com/security/cve/CVE-2022-0639
  https://access.redhat.com/security/cve/CVE-2022-0686
  https://access.redhat.com/security/cve/CVE-2022-0691
  https://access.redhat.com/security/cve/CVE-2022-1271
  https://access.redhat.com/security/cve/CVE-2022-1292
  https://access.redhat.com/security/cve/CVE-2022-1586
  https://access.redhat.com/security/cve/CVE-2022-1650
  https://access.redhat.com/security/cve/CVE-2022-1785
  https://access.redhat.com/security/cve/CVE-2022-1897
  https://access.redhat.com/security/cve/CVE-2022-1927
  https://access.redhat.com/security/cve/CVE-2022-2068
  https://access.redhat.com/security/cve/CVE-2022-2097
  https://access.redhat.com/security/cve/CVE-2022-2526
  https://access.redhat.com/security/cve/CVE-2022-24407
  https://access.redhat.com/security/cve/CVE-2022-25313
  https://access.redhat.com/security/cve/CVE-2022-25314
  https://access.redhat.com/security/cve/CVE-2022-29154
  https://access.redhat.com/security/cve/CVE-2022-29824
  https://access.redhat.com/security/cve/CVE-2022-30629
  https://access.redhat.com/security/cve/CVE-2022-30631
  https://access.redhat.com/security/cve/CVE-2022-32206
  https://access.redhat.com/security/cve/CVE-2022-32208
  https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.