- Issued:
- 2023-04-27
- Updated:
- 2023-04-27
RHSA-2023:2041 - Security Advisory
Synopsis
Important: Migration Toolkit for Applications security and bug fix update
Type/Severity
Security Advisory: Important
Topic
Migration Toolkit for Applications 6.1.0 release
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Migration Toolkit for Applications 6.1.0 Images
Security Fix(es):
- keycloak: path traversal via double URL encoding (CVE-2022-3782)
- spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client (CVE-2022-31690)
- xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
- Apache CXF: SSRF Vulnerability (CVE-2022-46364)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Migration Toolkit for Applications 6 x86_64
Fixes
- BZ - 2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding
- BZ - 2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
- BZ - 2162200 - CVE-2022-31690 spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client
- BZ - 2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
- MTA-118 - Automated tagging of resources with Windup
- MTA-279 - All types of Source analysis is failing in MTA 6.1.0
- MTA-311 - MTA operator fails to reconcile on a clean (non-upgrade) install
- MTA-314 - PVCs may not provision if storageClassName is not set.
- MTA-123 - MTA crashes cluster nodes when running bulk binary analysis due to requests and limits not being configurable
- MTA-129 - User field in Manage Import is empty
- MTA-160 - [Upstream] Maven Repositories "No QueryClient set, use QueryClientProvider to set one"
- MTA-204 - Every http request made to tagtypes returns HTTP Status 404
- MTA-256 - Update application import template
- MTA-260 - [Regression] Application import through OOTB import template fails
- MTA-261 - [Regression] UI incorrectly reports target applications have in-progress/complete assessment
- MTA-263 - [Regression] Discard assessment option present even when assessment is not complete
- MTA-267 - Analysis EAP targets should include eap8
- MTA-268 - RFE: Automated Tagging details to add on Review analysis details page
- MTA-28 - Success Alert is not displayed when subsequent analysis are submitted
- MTA-282 - Discarding review results in 404 error
- MTA-283 - Sorting broken on Application inventory page
- MTA-284 - HTML reports download with no files in reports and stats folders
- MTA-29 - Asterisk on Description while creating a credentials should be removed
- MTA-297 - [Custom migration targets] Cannot upload JPG file as an icon
- MTA-298 - [Custom migration targets] Unclear error when uploading image greater than 1Mb of size
- MTA-299 - [RFE][Custom migration targets] Assign an icon: Add image max size in the note under the image name
- MTA-300 - [Custom rules] Cannot upload more than one rules file
- MTA-303 - [UI][Custom migration targets] The word "Please" should be removed from the error message about existing custom target name
- MTA-304 - [Custom rules] Failed analysis when retrieving custom rules files from a repository
- MTA-306 - MTA allows the uploading of multiple binaries for analysis
- MTA-330 - With auth disabled, 'username' seen in the persona dropdown
- MTA-332 - Tagging: Few Tags are highlighted with color
- MTA-34 - Cannot filter by Business Service when copying assessments
- MTA-345 - [Custom migration targets] Error message "imageID must be defined" is displayed when uploading image
- MTA-35 - Only the first notification is displayed when discarding multiple copied assessments
- MTA-350 - Maven Central links from the dependencies tab in reports seem to be broken
- MTA-351 - AspectJ is not identified as an Open Source Library
- MTA-356 - The inventory view has to be refreshed for the tags that were assigned by an analysis to appear
- MTA-363 - [UI][Custom migration targets] "Repository type" field name is missing
- MTA-364 - [Custom migration targets] Unknown image file when editing a custom migration target
- MTA-366 - Tagging: For no tags attached "filter by" can be improved
- MTA-367 - [Custom migration targets] Cannot use a custom migration target in analysis
- MTA-369 - Custom migration targets: HTML elements are duplicated
- MTA-375 - Run button does not execute the analysis
- MTA-377 - [UI][Custom rules] Custom rules screen of the analysis configuration wizard is always marked as required
- MTA-378 - [UI][Custom rules] Info message on the Custom rules screen is not updated
- MTA-38 - Only the first notification is displayed when multiple files are imported.
- MTA-381 - Custom Rules: When try to update Add rules the Error alert is displayed
- MTA-382 - Custom Rules: Sometimes able to upload duplicate rules files
- MTA-388 - CSV reports download empty when enabling the option after an analysis
- MTA-389 - [Custom rules in Analysis] Failed analysis when retrieving custom rules files from a private repository
- MTA-391 - [Custom rules in Analysis] Targets from uploaded rules file are not removed once the file is removed
- MTA-392 - Unable to see all custom migration targets when using a vertical monitor
- MTA-41 - [UI] Failed to refresh token if Keycloak feature "Use Refresh Tokens" is off
- MTA-412 - Display alert message before reviewing an already reviewed application
- MTA-428 - [Custom Rules] MTA analysis custom rules conflict message
- MTA-430 - Analysis wizard: Next button should be enabled only after at least one target is selected
- MTA-438 - Tagging: Retrieving tags needs a loading indicator
- MTA-439 - [Regression][Custom rules] Failed to run analysis with custom rules from a repository
- MTA-443 - Custom rules: Add button can be disabled until duplicate rule file is removed
- MTA-50 - RFE: Replace the MTA acronym in the title with "Migration Toolkit for Applications"
- MTA-51 - RFE: " Select the list of packages to be analyzed manually" to modify the title
- MTA-52 - [RFE] We can change "Not associated artifact" to "No associated artifact"
- MTA-55 - Can't choose a custom rule via a file explorer(mac OS finder) in Tackle 2.0
- MTA-99 - Unable to use root path during checking for maven dependencies
- MTA-78 - CVE-2022-46364 org.keycloak-keycloak-parent: Apache CXF: SSRF Vulnerability [mta-6.0]
CVEs
- CVE-2021-4235
- CVE-2022-1705
- CVE-2022-2879
- CVE-2022-2880
- CVE-2022-2995
- CVE-2022-3162
- CVE-2022-3172
- CVE-2022-3259
- CVE-2022-3466
- CVE-2022-3782
- CVE-2022-4304
- CVE-2022-4450
- CVE-2022-27664
- CVE-2022-30631
- CVE-2022-31690
- CVE-2022-32148
- CVE-2022-32189
- CVE-2022-32190
- CVE-2022-41715
- CVE-2022-41966
- CVE-2022-46364
- CVE-2023-0215
- CVE-2023-0286
- CVE-2023-0361
- CVE-2023-0767
- CVE-2023-23916
x86_64
mta/mta-hub-rhel8@sha256:c99e9df8b290935990e627a1ebe56da81dde49573aabb5a3c9133589f8f5b166 |
mta/mta-operator-bundle@sha256:eb99432ed3e453011e00bff4f6bc71b4347842e652335cc14d03ea4c96214c35 |
mta/mta-pathfinder-rhel8@sha256:8e2f586345d6b7e1c2e6d31b8e24965c38aa1640cbec0fb564deb2b2792c2c46 |
mta/mta-rhel8-operator@sha256:aa8087d3d9fa8123d2f925d6ddb3f7e3bde2c72ab02946cbe4d779f3450a8e09 |
mta/mta-ui-rhel8@sha256:24a3853bfc2cb9d37aa0a58e9c20224b3f9af91b8f55fbb0fe307294ad522685 |
mta/mta-windup-addon-rhel8@sha256:4268ab203ca9fd8ae3919dc80dbf31d2ce8591f2df55d6e5f4a12ead716a0cc0 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.