Red Hat Product Errata RHSA-2023:6161 - Security Advisory
Issued:
2023-10-30
Updated:
2023-10-30

RHSA-2023:6161 - Security Advisory

Synopsis

Important: Migration Toolkit for Containers (MTC) 1.7.14 security and bug fix update

Type/Severity

Security Advisory: Important

Topic

The Migration Toolkit for Containers (MTC) 1.7.14 is now available.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.

Security Fix(es) from Bugzilla:

  • HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
  • golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
  • golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)
  • golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)
  • golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)
  • golang: html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318)
  • golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)
  • golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Migration Toolkit 1 for RHEL 8 x86_64

Fixes

  • BZ - 2222167 - CVE-2023-29406 golang: net/http: insufficient sanitization of Host header
  • BZ - 2228743 - CVE-2023-29409 golang: crypto/tls: slow verification of certificate chains containing large RSA keys
  • BZ - 2237773 - CVE-2023-39319 golang: html/template: improper handling of special tags within script contexts
  • BZ - 2237776 - CVE-2023-39318 golang: html/template: improper handling of HTML-like comments within script contexts
  • BZ - 2237777 - CVE-2023-39321 golang: crypto/tls: panic when processing post-handshake message on QUIC connections
  • BZ - 2237778 - CVE-2023-39322 golang: crypto/tls: lack of a limit on buffered post-handshake
  • BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
  • BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)

x86_64

rhmtc/openshift-migration-controller-rhel8@sha256:db6e79aff9c592fe7f27145d01d7444f4dc4e0144cc036ae916d9cf0c95a9cfe
rhmtc/openshift-migration-hook-runner-rhel8@sha256:c12186c030ce5192c823351ac212c1acf1c85fa574267bc64d2cdf90c5dae87f
rhmtc/openshift-migration-legacy-rhel8-operator@sha256:ce90e9b7af04340afc72f38cfdf5b64d2a6fcae23f59223e2d510c028823d87f
rhmtc/openshift-migration-log-reader-rhel8@sha256:58f92f50972a948c40319a5c2c9abfe3d44034ba1538f018b51f9998ee875e90
rhmtc/openshift-migration-must-gather-rhel8@sha256:cc19dae1824b42b15a8015f6a88f1bc0f85e75a9e7d14f38313a27d93c88f22f
rhmtc/openshift-migration-openvpn-rhel8@sha256:79006886844f82db986d9778994727cd40943faa77b2740b54f312fca6602950
rhmtc/openshift-migration-operator-bundle@sha256:34e80eefb9b91a41bc4648e02de37d262347085c4da9bd032f43c8bb59e4459a
rhmtc/openshift-migration-registry-rhel8@sha256:4dfa0ace1d92a6ae70d08dc3aff621e5f332956f213db987d9862ed2685e6733
rhmtc/openshift-migration-rhel8-operator@sha256:0dc885972e7035f2c4b31016f4053e2bd73e328ace6aeee07380db5e0b055b02
rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:cc4a32d349982a82cee52247627f1fd76b6630a6ddb4523a326e83f99d65826d
rhmtc/openshift-migration-ui-rhel8@sha256:b3fd7bf0c25ecd110635de6e7d071cfe314cbe50ee0f924f3dfa985fd24ae59e
rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:c65d0ecc82eb9ebf2256c599b116e5878e57192caca90a83c1035421be914657
rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:7ab0d93fe306b1baa0ae64a9c859776109f2cb27a0e468dc1d361e72a99d21b9
rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:c89b222e9e9ae02a505fb6986ef1b6ca4b0e15706e3d44d2f03176af7f0d9b6a
rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:06010b3b3c7ad25cf0c122cf49bb7795712eebc47936e3c88db46256e93f0843
rhmtc/openshift-migration-velero-rhel8@sha256:39ac9f6895b2f71cc699c806df204b10af71f18a28de3d3839b7cde6cde13f64
rhmtc/openshift-velero-plugin-rhel8@sha256:4aefc874e9869305ec80f46548c5499b4887e29135efb9ecad01dfd5a54b31fa

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.