Red Hat 9062 Published by

A Migration Toolkit for Applications security and bug fix update has been released.



[RHSA-2023:4627-01] Important: Migration Toolkit for Applications security and bug fix update


=====================================================================
Red Hat Security Advisory

Synopsis: Important: Migration Toolkit for Applications security and bug fix update
Advisory ID: RHSA-2023:4627-01
Product: Migration Toolkit for Applications
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4627
Issue date: 2023-08-14
CVE Names: CVE-2020-24736 CVE-2021-46877 CVE-2022-4492
CVE-2022-41721 CVE-2022-41723 CVE-2022-41724
CVE-2022-41725 CVE-2022-41854 CVE-2022-41881
CVE-2023-1667 CVE-2023-2283 CVE-2023-2798
CVE-2023-2828 CVE-2023-22899 CVE-2023-24329
CVE-2023-24532 CVE-2023-24534 CVE-2023-24536
CVE-2023-24537 CVE-2023-24538 CVE-2023-24539
CVE-2023-24540 CVE-2023-26125 CVE-2023-26604
CVE-2023-29400 CVE-2023-34104
=====================================================================

1. Summary:

Migration Toolkit for Applications 6.2.0 release

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Migration Toolkit for Applications 6.2.0 Images

Security Fix(es):

* golang: html/template: improper handling of JavaScript whitespace
(CVE-2023-24540)

* jackson-databind: Possible DoS if using JDK serialization to serialize
JsonNode (CVE-2021-46877)

* undertow: Server identity in https connection is not checked by the
undertow client (CVE-2022-4492)

* x/net/http2/h2c: request smuggling (CVE-2022-41721)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)

* golang: crypto/tls: large handshake records may cause panics
(CVE-2022-41724)

* golang: net/http, mime/multipart: denial of service from excessive
resource consumption (CVE-2022-41725)

* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
(CVE-2022-41881)

* htmlUnit: Stack overflow crash causes Denial of Service (DoS)
(CVE-2023-2798)

* zip4j: does not always check the MAC when decrypting a ZIP archive
(CVE-2023-22899)

* golang: crypto/internal/nistec: specific unreduced P-256 scalars produce
incorrect results (CVE-2023-24532)

* golang: net/http, net/textproto: denial of service from excessive memory
allocation (CVE-2023-24534)

* golang: net/http, net/textproto, mime/multipart: denial of service from
excessive resource consumption (CVE-2023-24536)

* golang: go/parser: Infinite loop in parsing (CVE-2023-24537)

* golang: html/template: backticks not treated as string delimiters
(CVE-2023-24538)

* golang: html/template: improper sanitization of CSS values
(CVE-2023-24539)

* golang-github-gin-gonic-gin: Improper Input Validation (CVE-2023-26125)

* golang: html/template: improper handling of empty HTML attributes
(CVE-2023-29400)

* fast-xml-parser: Regex Injection via Doctype Entities (CVE-2023-34104)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed ( https://bugzilla.redhat.com/):

2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow
2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client
2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
2162182 - CVE-2022-41721 x/net/http2/h2c: request smuggling
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters
2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
2185278 - CVE-2023-22899 zip4j: does not always check the MAC when decrypting a ZIP archive
2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values
2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes
2203769 - CVE-2023-26125 golang-github-gin-gonic-gin: Improper Input Validation
2210366 - CVE-2023-2798 htmlUnit: Stack overflow crash causes Denial of Service (DoS)
2221261 - CVE-2023-34104 fast-xml-parser: Regex Injection via Doctype Entities
2223355 - CVE-2023-24532 golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results

5. JIRA issues fixed ( https://issues.redhat.com/):

MTA-1015 - Credentials filtering is missing 'Created by' filter
MTA-1041 - Application inventory page crashes when deleting an application and the right panel is open
MTA-194 - [RFE] Present a data in more readable format
MTA-24 - [API][Application] ApiApplication returned from post method is missing the identities name
MTA-27 - [API][Credentials] It is possible to create more than one credential with the same name
MTA-464 - [Custom rules] Analysis wizard stucks on custom rules page on moving "Back" from Repository tab.
MTA-465 - Tags & Reports tabs for the application keeps loading while analysis in progress.
MTA-468 - Incorrect description for Azure target.
MTA-469 - Typo under Reports -> Current Landscape UI
MTA-470 - [UI] Clear Repository button is taking few seconds to re-enable every time when we switch to different tab or perspective.
MTA-472 - [Reports][RFE] "MIGRATION TOOLKIT FOR APPLICATIONS" can be renamed to "Migration Toolkit for Applications"
MTA-474 - Validation issue with "Password" field when creating a new Credential
MTA-476 - Tooltip text for the disabled "Delete" button under "Tags" is incorrect
MTA-477 - Applications imported even after showing Rejected in "Manage Imports" page.
MTA-478 - Application Inventory page doesn't get updated after the "Import"
MTA-479 - Category Color missing when Tag Category is created at the time of import
MTA-480 - Unable to import application with multiple tags under a single tag category.
MTA-481 - [RFE] Deleting a Job function associated with Stakeholder
MTA-483 - EAP6 still present as a target in downstream MTA builds 6.1.0
MTA-484 - Enforce URL validation for git repo while creating custom target
MTA-485 - [UI] Filter category by name list is too long
MTA-500 - Missing space in OpenLiberty target description
MTA-582 - [API] Job function crud and stakeholder group crud fails
MTA-590 - Identified risk table shows error when there are no data
MTA-643 - [Upstream] Success alerts are broken
MTA-647 - [Upstream] Remove Asterisk for member(s) while creating a stakeholder group
MTA-651 - Application owner is sent if its added then manually deleted
MTA-658 - [Upstream] Helper messages are displayed on blur
MTA-659 - [Upstream] Source repository field accepts only git urls.
MTA-674 - [RFE][API] Return reference "name" field from POST method
MTA-678 - Operator failing smoke tests (6.2.0 / release-0.2)
MTA-680 - [Upstream] [Typo] Migration waves wizard stakeholders groups' field should be in plural
MTA-681 - [Upstream][RFE] Add a tooltip for delete button disabled only when selected application(s) are in a migration wave
MTA-682 - [Upstream][Custom Metrics] Initiated assessments total count isn't working correctly
MTA-695 - Running a second migration wave export with additional apps errors out
MTA-698 - [Upstream] Replace Jira Server/Datacenter options with a single option
MTA-699 - [Upstream] Not able to connect to RedHat JIRA account
MTA-706 - [Upstream] [Migration Waves] Date fields can't be entered manually
MTA-717 - [Credentials] Save button remains disabled while editing credentials of Jira type
MTA-739 - Add a tool tip to explain what insecure communication with a Jira instance is
MTA-741 - [Migration Waves] start date value is not updated correctly
MTA-747 - Job function can't be removed
MTA-750 - Applications cannot be selected in the Assessment tab of the Application Inventory
MTA-753 - Some success notifications include two spaces
MTA-761 - eap targets listed as konveyor.io/target=eapx on Analysis dialog
MTA-764 - [UI] Incorrect tooltip when removing credentials
MTA-765 - [UI] Incorrect tooltip when removing credentials
MTA-766 - [UI] Incorrect labels in Jira connections table
MTA-772 - [Upstream] Credentials of type 'Bearer' not listed in Jira instance creation dialog
MTA-773 - Render analysis details as YAML for better readability.
MTA-778 - Clicking ?'Show password' icon for Jira Bearer token key doesn't show the key.
MTA-802 - [Regresssion] Tag list under Tag Category doesn't get updated after new tag creation
MTA-807 - [Custom metrics] The METRICS_ENABLED environment variable is overridden by its default value
MTA-808 - [UI] Credentials field is empty when editing existing Jira connection instance
MTA-809 - [Custom metrics] Exported issues which move from "Error" to "New" state are counted twice
MTA-81 - CVE-2022-41881 io.netty-netty-parent: codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [mta-6]
MTA-811 - Failed to delete an application that is associated with a ticket on the issues manager
MTA-814 - [Typo] Application creation notification text starts with lowercase
MTA-815 - [UI] Incrrect Jira instance type name is shown in Jira connection table
MTA-826 - [Tags] Color filter isn't working correctly
MTA-83 - CVE-2022-41881 org.jboss.windup.rules-windup-rulesets-parent: codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [mta-6]
MTA-84 - CVE-2022-41854 dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow [mta-6]
MTA-845 - CSV Reports cannot be downloaded
MTA-863 - [UI] Jira credentials have different names in creation wizard and filtering
MTA-870 - A Migration Wave cannot be exported as a SubTask - using both Jira Datacenter and Cloud
MTA-872 - After an error ,trying to export the same applications as tasks , fails with an error showing sub-tasks.
MTA-873 - Exporting migration wave as an Epic does not export it to Jira - using Jira Server/Datacenter
MTA-877 - in migration waves when exporting a migration wave to jira, and moving the ticket to done it changes status to "Not Started"
MTA-881 - Stakeholder: Assertion is missing "No stakeholders available"
MTA-89 - CVE-2022-41881 org.jboss.windup-windup-parent: codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [mta-6]
MTA-894 - [Custom metrics] Failed analysis is counted twice
MTA-895 - [UI] Sometimes Jira table doesn't look consistant with other tables
MTA-898 - [UI] Incorrect tooltip when the bulk deletion button is disabled on application inventory page
MTA-906 - Migration Waves: The Name field doesn't have the "too sort" validation
MTA-908 - [UI] Incorrect sorting by URL for Jira instances
MTA-909 - Tags: Tag Category field is missing helper message "This field is required."
MTA-91 - CVE-2022-41881 org.jboss.windup.plugin-windup-maven-plugin-parent: codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [mta-6]
MTA-912 - in migration waves - after applying wrong dates, correcting the dates does not remove the error message
MTA-916 - Application Inventory : Sorting applications on tag count is broken
MTA-923 - in migration waves - when creating two migration waves with same name and same dates - once trying to create the second one an error pops "Failed to create migration wave."
MTA-93 - CVE-2022-4492 org.keycloak-keycloak-parent: undertow: Server identity in https connection is not checked by the undertow client [mta-6]
MTA-937 - in migration waves - selecting one migration wave using individual check box will automatically select all applications with the same name
MTA-943 - [UI] Incorrect sorting in reports
MTA-973 - Jira Configuration: Success alert is missing while creating any new jira instance
MTA-974 - Success notification text starts with lowercase
MTA-984 - Dependencies: Unable to Connect there is an error retrieving data
MTA-985 - [Custom rules in analysis] Enforce URL validation for git repo

6. References:

https://access.redhat.com/security/cve/CVE-2020-24736
https://access.redhat.com/security/cve/CVE-2021-46877
https://access.redhat.com/security/cve/CVE-2022-4492
https://access.redhat.com/security/cve/CVE-2022-41721
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2022-41724
https://access.redhat.com/security/cve/CVE-2022-41725
https://access.redhat.com/security/cve/CVE-2022-41854
https://access.redhat.com/security/cve/CVE-2022-41881
https://access.redhat.com/security/cve/CVE-2023-1667
https://access.redhat.com/security/cve/CVE-2023-2283
https://access.redhat.com/security/cve/CVE-2023-2798
https://access.redhat.com/security/cve/CVE-2023-2828
https://access.redhat.com/security/cve/CVE-2023-22899
https://access.redhat.com/security/cve/CVE-2023-24329
https://access.redhat.com/security/cve/CVE-2023-24532
https://access.redhat.com/security/cve/CVE-2023-24534
https://access.redhat.com/security/cve/CVE-2023-24536
https://access.redhat.com/security/cve/CVE-2023-24537
https://access.redhat.com/security/cve/CVE-2023-24538
https://access.redhat.com/security/cve/CVE-2023-24539
https://access.redhat.com/security/cve/CVE-2023-24540
https://access.redhat.com/security/cve/CVE-2023-26125
https://access.redhat.com/security/cve/CVE-2023-26604
https://access.redhat.com/security/cve/CVE-2023-29400
https://access.redhat.com/security/cve/CVE-2023-34104
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is [secalert@redhat.com]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.

--