Red Hat 9042 Published by

A Migration Toolkit for Containers (MTC) 1.7.6 security and bug fix update has been released.



RHSA-2022:9047-01: Moderate: Migration Toolkit for Containers (MTC) 1.7.6 security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Migration Toolkit for Containers (MTC) 1.7.6 security and bug fix update
Advisory ID: RHSA-2022:9047-01
Product: Red Hat Migration Toolkit
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:9047
Issue date: 2022-12-15
CVE Names: CVE-2016-3709 CVE-2020-28851 CVE-2020-28852
CVE-2020-35525 CVE-2020-35527 CVE-2022-0561
CVE-2022-0562 CVE-2022-0865 CVE-2022-0891
CVE-2022-0908 CVE-2022-0909 CVE-2022-0924
CVE-2022-1122 CVE-2022-1304 CVE-2022-1355
CVE-2022-1705 CVE-2022-1962 CVE-2022-2509
CVE-2022-3515 CVE-2022-22624 CVE-2022-22628
CVE-2022-22629 CVE-2022-22662 CVE-2022-22844
CVE-2022-25308 CVE-2022-25309 CVE-2022-25310
CVE-2022-26700 CVE-2022-26709 CVE-2022-26710
CVE-2022-26716 CVE-2022-26717 CVE-2022-26719
CVE-2022-27404 CVE-2022-27405 CVE-2022-27406
CVE-2022-27664 CVE-2022-28131 CVE-2022-30293
CVE-2022-30629 CVE-2022-30630 CVE-2022-30632
CVE-2022-30633 CVE-2022-30635 CVE-2022-32148
CVE-2022-32189 CVE-2022-37434 CVE-2022-42898
=====================================================================

1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.6 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es) from Bugzilla:

* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)

* golang: go/parser: stack exhaustion in all Parse* functions
(CVE-2022-1962)

* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)

* golang: crypto/tls: session tickets lack random ticket_age_add
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

For details on how to install and use MTC, refer to:

  https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (  https://bugzilla.redhat.com/):

2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
2132957 - Migration fails at UnQuiesceDestApplications step in OCP 4.12
2137304 - Location for host cluster is missing in the UI
2140208 - When editing a MigHook in the UI, the page may fail to reload
2143628 - Unable to create Storage Class Conversion plan due to missing cronjob error in OCP 4.12
2143872 - Namespaces page in web console stuck in loading phase
2149920 - Migration fails at prebackupHooks step

5. JIRA issues fixed (  https://issues.jboss.org/):

MIG-1240 - Implement proposed changes for DVM support with PSAs in 4.12

6. References:

  https://access.redhat.com/security/cve/CVE-2016-3709
  https://access.redhat.com/security/cve/CVE-2020-28851
  https://access.redhat.com/security/cve/CVE-2020-28852
  https://access.redhat.com/security/cve/CVE-2020-35525
  https://access.redhat.com/security/cve/CVE-2020-35527
  https://access.redhat.com/security/cve/CVE-2022-0561
  https://access.redhat.com/security/cve/CVE-2022-0562
  https://access.redhat.com/security/cve/CVE-2022-0865
  https://access.redhat.com/security/cve/CVE-2022-0891
  https://access.redhat.com/security/cve/CVE-2022-0908
  https://access.redhat.com/security/cve/CVE-2022-0909
  https://access.redhat.com/security/cve/CVE-2022-0924
  https://access.redhat.com/security/cve/CVE-2022-1122
  https://access.redhat.com/security/cve/CVE-2022-1304
  https://access.redhat.com/security/cve/CVE-2022-1355
  https://access.redhat.com/security/cve/CVE-2022-1705
  https://access.redhat.com/security/cve/CVE-2022-1962
  https://access.redhat.com/security/cve/CVE-2022-2509
  https://access.redhat.com/security/cve/CVE-2022-3515
  https://access.redhat.com/security/cve/CVE-2022-22624
  https://access.redhat.com/security/cve/CVE-2022-22628
  https://access.redhat.com/security/cve/CVE-2022-22629
  https://access.redhat.com/security/cve/CVE-2022-22662
  https://access.redhat.com/security/cve/CVE-2022-22844
  https://access.redhat.com/security/cve/CVE-2022-25308
  https://access.redhat.com/security/cve/CVE-2022-25309
  https://access.redhat.com/security/cve/CVE-2022-25310
  https://access.redhat.com/security/cve/CVE-2022-26700
  https://access.redhat.com/security/cve/CVE-2022-26709
  https://access.redhat.com/security/cve/CVE-2022-26710
  https://access.redhat.com/security/cve/CVE-2022-26716
  https://access.redhat.com/security/cve/CVE-2022-26717
  https://access.redhat.com/security/cve/CVE-2022-26719
  https://access.redhat.com/security/cve/CVE-2022-27404
  https://access.redhat.com/security/cve/CVE-2022-27405
  https://access.redhat.com/security/cve/CVE-2022-27406
  https://access.redhat.com/security/cve/CVE-2022-27664
  https://access.redhat.com/security/cve/CVE-2022-28131
  https://access.redhat.com/security/cve/CVE-2022-30293
  https://access.redhat.com/security/cve/CVE-2022-30629
  https://access.redhat.com/security/cve/CVE-2022-30630
  https://access.redhat.com/security/cve/CVE-2022-30632
  https://access.redhat.com/security/cve/CVE-2022-30633
  https://access.redhat.com/security/cve/CVE-2022-30635
  https://access.redhat.com/security/cve/CVE-2022-32148
  https://access.redhat.com/security/cve/CVE-2022-32189
  https://access.redhat.com/security/cve/CVE-2022-37434
  https://access.redhat.com/security/cve/CVE-2022-42898
  https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.