RHSA-2023:0693 - Security Advisory

Topic

The Migration Toolkit for Containers (MTC) 1.7.7 is now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.

Security Fix(es) from Bugzilla:

• async: Prototype Pollution in async (CVE-2021-43138)
• golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
• golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
• golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
• golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags (CVE-2022-32149)
• golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
• golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
• golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
• golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

Affected Products

• Red Hat Migration Toolkit 1 for RHEL 8 x86_64

Fixes

• BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
• BZ - 2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
• BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
• BZ - 2126276 - CVE-2021-43138 async: Prototype Pollution in async
• BZ - 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
• BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
• BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
• BZ - 2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
• BZ - 2160662 - Velero pod crashing leading to migrations being stuck during Backup Phase
• BZ - 2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests
• MIG-1275 - Update base image for hook-runner so kubernetes.core 2.3.2 or newer is present
• MIG-1281 - Allow DVM to be configured with alternative network strategies, more than an openshift route.

CVEs

• CVE-2021-4235
• CVE-2021-43138
• CVE-2021-46848
• CVE-2022-2056
• CVE-2022-2057
• CVE-2022-2058
• CVE-2022-2519
• CVE-2022-2520
• CVE-2022-2521
• CVE-2022-2867
• CVE-2022-2868
• CVE-2022-2869
• CVE-2022-2879
• CVE-2022-2880
• CVE-2022-2953
• CVE-2022-2995
• CVE-2022-3162
• CVE-2022-3172
• CVE-2022-3259
• CVE-2022-3466
• CVE-2022-3821
• CVE-2022-4883
• CVE-2022-27664
• CVE-2022-30631
• CVE-2022-32148
• CVE-2022-32149
• CVE-2022-32189
• CVE-2022-32190
• CVE-2022-35737
• CVE-2022-40303
• CVE-2022-40304
• CVE-2022-41715
• CVE-2022-41717
• CVE-2022-42010
• CVE-2022-42011
• CVE-2022-42012
• CVE-2022-43680
• CVE-2022-44617
• CVE-2022-46285

References

• https://access.redhat.com/security/updates/classification/#moderate