A Migration Toolkit for Runtimes security bug fix and enhancement update has been released.

RHSA-2023:1286-01: Important: Migration Toolkit for Runtimes security bug fix and enhancement update

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Migration Toolkit for Runtimes security bug fix and enhancement update
Advisory ID: RHSA-2023:1286-01
Product: Migration Toolkit for Runtimes
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:1286
Issue date: 2023-03-16
CVE Names: CVE-2021-46848 CVE-2022-2056 CVE-2022-2057
CVE-2022-2058 CVE-2022-2519 CVE-2022-2520
CVE-2022-2521 CVE-2022-2867 CVE-2022-2868
CVE-2022-2869 CVE-2022-2953 CVE-2022-4415
CVE-2022-31690 CVE-2022-35737 CVE-2022-40303
CVE-2022-40304 CVE-2022-41966 CVE-2022-42010
CVE-2022-42011 CVE-2022-42012 CVE-2022-43680
CVE-2022-46364 CVE-2022-47629 CVE-2023-21835
CVE-2023-21843
=====================================================================

1. Summary:

Migration Toolkit for Runtimes 1.0.2 release

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Migration Toolkit for Runtimes 1.0.2 Images

Security Fix(es):

* spring-security-oauth2-client: Privilege Escalation in
spring-security-oauth2-client (CVE-2022-31690)

* xstream: Denial of Service by injecting recursive collections or maps
based on element's hash values raising a stack overflow (CVE-2022-41966)

* Apache CXF: SSRF Vulnerability (CVE-2022-46364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
2162200 - CVE-2022-31690 spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow

5. References:

  https://access.redhat.com/security/cve/CVE-2021-46848
  https://access.redhat.com/security/cve/CVE-2022-2056
  https://access.redhat.com/security/cve/CVE-2022-2057
  https://access.redhat.com/security/cve/CVE-2022-2058
  https://access.redhat.com/security/cve/CVE-2022-2519
  https://access.redhat.com/security/cve/CVE-2022-2520
  https://access.redhat.com/security/cve/CVE-2022-2521
  https://access.redhat.com/security/cve/CVE-2022-2867
  https://access.redhat.com/security/cve/CVE-2022-2868
  https://access.redhat.com/security/cve/CVE-2022-2869
  https://access.redhat.com/security/cve/CVE-2022-2953
  https://access.redhat.com/security/cve/CVE-2022-4415
  https://access.redhat.com/security/cve/CVE-2022-31690
  https://access.redhat.com/security/cve/CVE-2022-35737
  https://access.redhat.com/security/cve/CVE-2022-40303
  https://access.redhat.com/security/cve/CVE-2022-40304
  https://access.redhat.com/security/cve/CVE-2022-41966
  https://access.redhat.com/security/cve/CVE-2022-42010
  https://access.redhat.com/security/cve/CVE-2022-42011
  https://access.redhat.com/security/cve/CVE-2022-42012
  https://access.redhat.com/security/cve/CVE-2022-43680
  https://access.redhat.com/security/cve/CVE-2022-46364
  https://access.redhat.com/security/cve/CVE-2022-47629
  https://access.redhat.com/security/cve/CVE-2023-21835
  https://access.redhat.com/security/cve/CVE-2023-21843
  https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.