RHSA-2021:3694 - Security Advisory

Topic

The Migration Toolkit for Containers (MTC) 1.6.0 is now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.

Security fixes:

• nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/4.8/migration_toolkit_for_containers/installing-mtc.html

Affected Products

• Red Hat Migration Toolkit 1 for RHEL 8 x86_64
• Red Hat Migration Toolkit 1 for RHEL 7 x86_64

Fixes

• BZ - 1878824 - Web console is not accessible when deployed on OpenShift cluster on IBM Cloud
• BZ - 1887526 - "Stage" pods fail when migrating from classic OpenShift source cluster on IBM Cloud with block storage
• BZ - 1899562 - MigMigration custom resource does not display an error message when a migration fails because of volume mount error
• BZ - 1936886 - Service account token of existing remote cluster cannot be updated by using the web console
• BZ - 1936894 - "Ready" status of MigHook and MigPlan custom resources is not synchronized automatically
• BZ - 1949117 - "Migration plan resources" page displays a permanent error message when a migration plan is deleted from the backend
• BZ - 1951869 - MigPlan custom resource does not detect invalid source cluster reference
• BZ - 1968621 - Paused deployment config causes a migration to hang
• BZ - 1970338 - Parallel migrations fail because the initial backup is missing
• BZ - 1974737 - Migration plan name length in the "Migration plan" wizard is not validated
• BZ - 1975369 - "Debug view" link text on "Migration plans" page can be improved
• BZ - 1975372 - Destination namespace in MigPlan custom resource is not validated
• BZ - 1976895 - Namespace mapping cannot be changed using the Migration Plan wizard
• BZ - 1981810 - "Excluded" resources are not excluded from the migration
• BZ - 1982026 - Direct image migration fails if the source URI contains a double slash ("//")
• BZ - 1994985 - Web console crashes when a MigPlan custom resource is created with an empty namespaces list
• BZ - 1996169 - When "None" is selected as the target storage class in the web console, the setting is ignored and the default storage class is used
• BZ - 1996627 - MigPlan custom resource displays a "PvUsageAnalysisFailed" warning after a successful PVC migration
• BZ - 1996784 - "Migration resources" tree on the "Migration details" page is not displayed
• BZ - 1996902 - "Select all" checkbox on the "Namespaces" page of the "Migration plan" wizard remains selected after a namespace is unselected
• BZ - 1996904 - "Migration" dialogs on the "Migration plans" page display inconsistent capitalization
• BZ - 1996906 - "Migration details" page link is displayed for a migration plan with no associated migrations
• BZ - 1996938 - Search function on "Migration plans" page displays no results
• BZ - 1997051 - Indirect migration from MTC 1.5.1 to 1.6.0 fails during "StageBackup" phase
• BZ - 1997127 - Direct volume migration "retry" feature does not work correctly after a network failure
• BZ - 1997173 - Migration of custom resource definitions to OpenShift Container Platform 4.9 fails because of API version incompatibility
• BZ - 1997180 - "migration-log-reader" pod does not log invalid Rsync options
• BZ - 1997665 - Selected PVCs in the "State migration" dialog are reset because of background polling
• BZ - 1997694 - "Update operator" link on the "Clusters" page is incorrect
• BZ - 1997827 - "Migration plan" wizard displays PVC names incorrectly formatted after running state migration
• BZ - 1998062 - Rsync pod uses upstream image
• BZ - 1998283 - "Migration step details" link on the "Migrations" page does not work
• BZ - 1998550 - "Migration plan" wizard does not support certain screen resolutions
• BZ - 1998581 - "Migration details" link on "Migration plans" page displays "latestIsFailed" error
• BZ - 1999113 - "oc describe" and "oc log" commands on "Migration resources" tree cannot be copied after failed migration
• BZ - 1999381 - MigPlan custom resource displays "Stage completed with warnings" status after successful migration
• BZ - 1999528 - Position of the "Add migration plan" button is different from the other "Add" buttons
• BZ - 1999765 - "Migrate" button on "State migration" dialog is enabled when no PVCs are selected
• BZ - 1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function
• BZ - 2000205 - "Options" menu on the "Migration details" page displays incorrect items
• BZ - 2000218 - Validation incorrectly blocks namespace mapping if a source cluster namespace is the same as the destination namespace
• BZ - 2000243 - "Migration plan" wizard does not allow a migration within the same cluster
• BZ - 2000644 - Invalid migration plan causes "controller" pod to crash
• BZ - 2000875 - State migration status on "Migrations" page displays "Stage succeeded" message
• BZ - 2000979 - "clusterIPs" parameter of "service" object can cause Velero errors
• BZ - 2001089 - Direct volume migration fails because of missing CA path configuration
• BZ - 2001173 - Migration plan requires two clusters
• BZ - 2001786 - Migration fails during "Stage Backup" step because volume path on host not found
• BZ - 2001829 - Migration does not complete when the namespace contains a cron job with a PVC
• BZ - 2001941 - Fixing PVC conflicts in state migration plan using the web console causes the migration to run twice
• BZ - 2002420 - "Stage" pod not created for completed application pod, causing the "mig-controller" to stall
• BZ - 2002608 - Migration of unmounted PVC fails during "StageBackup" phase
• BZ - 2002897 - Rollback migration does not complete when the namespace contains a cron job
• BZ - 2003603 - "View logs" dialog displays the "--selector" option, which does not print all logs
• BZ - 2004601 - Migration plan status on "Migration plans" page is "Ready" after migration completed with warnings
• BZ - 2004923 - Web console displays "New operator version available" notification for incorrect operator
• BZ - 2005143 - Combining Rsync and Stunnel in a single pod can degrade performance
• BZ - 2006316 - Web console cannot create migration plan in a proxy environment
• BZ - 2007175 - Web console cannot be launched in a proxy environment
• MIG-785 - Search for "Crane" in the Operator Hub should display the Migration Toolkit for Containers

CVEs

• CVE-2021-3749

References

• https://access.redhat.com/security/updates/classification/#moderate