Red Hat Product Errata RHSA-2024:3316 - Security Advisory
Issued:
2024-05-23
Updated:
2024-05-23

RHSA-2024:3316 - Security Advisory

Synopsis

Important: Migration Toolkit for Applications security and bug fix update

Type/Severity

Security Advisory: Important

Topic

Migration Toolkit for Applications 7.0.3 release

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Migration Toolkit for Applications 7.0.3 Images

Security Fix(es) from Bugzilla:

  • golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)
  • webpack-dev-middleware: lack of URL validation may lead to file leak (CVE-2024-29180)
  • axios: exposure of confidential data stored in cookies (CVE-2023-45857)
  • css-tools: Improper Input Validation causes Denial of Service via Regular Expression (CVE-2023-26364)
  • go-resty: HTTP request body disclosure in github.com/go-resty/resty/v2 (CVE-2023-45286)
  • golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. (CVE-2023-45287)
  • golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)
  • css-tools: regular expression denial of service (ReDoS) when parsing CSS (CVE-2023-48631)
  • follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse() (CVE-2023-26159)
  • golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)
  • follow-redirects: Possible credential leak (CVE-2024-28849)

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Migration Toolkit for Applications 1 x86_64

Fixes

  • BZ - 2248979 - CVE-2023-45857 axios: exposure of confidential data stored in cookies
  • BZ - 2250364 - CVE-2023-26364 css-tools: Improper Input Validation causes Denial of Service via Regular Expression
  • BZ - 2252012 - CVE-2023-45286 go-resty: HTTP request body disclosure in github.com/go-resty/resty/v2
  • BZ - 2253193 - CVE-2023-45287 golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges.
  • BZ - 2253330 - CVE-2023-39326 golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests
  • BZ - 2254559 - CVE-2023-48631 css-tools: regular expression denial of service (ReDoS) when parsing CSS
  • BZ - 2256413 - CVE-2023-26159 follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()
  • BZ - 2268046 - CVE-2024-24786 golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON
  • BZ - 2268273 - CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
  • BZ - 2269576 - CVE-2024-28849 follow-redirects: Possible credential leak
  • BZ - 2270863 - CVE-2024-29180 webpack-dev-middleware: lack of URL validation may lead to file leak
  • MTA-1578 - Admin drop-down can be enhanced
  • MTA-1959 - [Analysis issues] Unclear display for the 6th and higher incidents in a file
  • MTA-1961 - [Analysis issues] Issue details side drawer is not fully displayed by default
  • MTA-1970 - It is not clear that the Effort column in the "Affected applications page" is the total effort
  • MTA-1997 - [Controls][UI] Pages layout shifts in Controls tab
  • MTA-2003 - [Custom rules in analysis] Number of rules is 0 when manually uploading yaml file
  • MTA-2117 - Apps that inherit assessment occasionally don't get displayed on Reports tab
  • MTA-2186 - Tag filtering doesn't work if searching for empty tag type
  • MTA-2224 - [UI] Pagination leaves empty page when removing last element
  • MTA-2243 - [Analyzer] Affected file empty using JWS6 target
  • MTA-2287 - Tag sources should start with upper case letters
  • MTA-2308 - [Assessment] UI should show 'Unassessed' instead of 'Unknown' for unassessed applications
  • MTA-2314 - MTA CLI limitations with podman on windows
  • MTA-2341 - [Analyzer] Placeholder for`beans.xml` can be correctly interpolated.
  • MTA-2380 - Error message when editing an application tag
  • MTA-2400 - Selection of already selected tags should be disallowed for archetypes
  • MTA-2409 - With two required questionnaires app Assessment status should be 'In progress' after one questionnaire is taken
  • MTA-2410 - App Assesstment status should show 'In progress' when only one archetype has been assessed
  • MTA-2426 - [Jira instance] Unable to turn on "Enable insecure communication" switch
  • MTA-2427 - Failed to connect to Jira server using basic authentication: username & password
  • MTA-2451 - Application Inventory page doesn't get updated after application import
  • MTA-2452 - [Kantra CLI] Running test is successfull with many errors in the log
  • MTA-2495 - Repeated Assessment Override Notification Appears After Completion
  • MTA-2503 - Application assessment status doesn't get updated on its own after assessment is discarded
  • MTA-2505 - [Assessment] assessing an application and then disabling the questionnaire shows status 'In-Progress'
  • MTA-2512 - Retaking an assessment should retain the previous assessment data
  • MTA-2513 - [Analysis][DC] Analysis are failing on DC clusters with" Error: exit status 128 "
  • MTA-2518 - [CLI] Failing analysis on MAC
  • MTA-2550 - [Analysis] Some analyses fail with UNIQUE constraint failed error on Tags
  • MTA-2560 - [UI] Missing "Use multi select filter for application names" from All Issues Page
  • MTA-2563 - [Eclipse] [IDE] unable to run analysis on eclipse - mta 7.0.3
  • MTA-2616 - 'Retake' displayed instead of 'Take' after deleting Archetype assessment from Assessment Actions page
  • MTA-2652 - The Risk filter in the Reports Tab filters by value instead of by label when typing in it
  • MTA-2654 - [CLI] Some tests are failing with error about output.yaml
  • MTA-2661 - Binary analysis fails for a JAR file that has no external dependencies
  • MTA-2681 - Column name renamed "Tag category" to "Name" on Tags page
  • MTA-2781 - [Kantra CLI] Tool tried to pull image from a wrong place making analysis to fail

aarch64

mta/mta-analyzer-lsp-rhel9@sha256:a09bcb0103144127baaea5831a75313a5148c1cacca2ca52fdfd93b09986d1fc
mta/mta-cli-rhel9@sha256:7f9db3bb4df9fa6680c58547974f2c5f1035ba9e65f51acdaea12c082fc78c99
mta/mta-windup-shim-rhel9@sha256:0ee12e416243c3d96ff86d96d203925259f2408633b28db485ff7a0378b7b092

x86_64

mta/mta-analyzer-addon-rhel9@sha256:0c0381b7e457651468411ac42db0cd87070bc711321b51db4d73da7443d9873b
mta/mta-analyzer-lsp-rhel9@sha256:eeb59395e040f7b5367b5c0e4911e5ee23289cf13a42c517dfe30ec385ddeede
mta/mta-cli-rhel9@sha256:1f68cef1b46537edbb48d0842761258c8e8f9456cf2e5f93317e17307646c51d
mta/mta-hub-rhel9@sha256:9e8489a7a70be8a4035de9921bd7360dd993dfc364fca97abcd7ef5f637bae07
mta/mta-operator-bundle@sha256:9eeb43af2bcab84f5261d1575f7c897903a7696dba011d256abffa1fe850eba2
mta/mta-rhel8-operator@sha256:1719cafe5b15c44bb1bb207bce1cc2a6ee7c1b097901d8fab61912ce298f40dd
mta/mta-ui-rhel9@sha256:d0a02e3d0067cd6811e00a55b644dd9a345261e3f77ed72431a3ce03137d11bf
mta/mta-windup-shim-rhel9@sha256:122ddc6b9f403fe1dddcd25ee4376cbfb33264019e3199418d879634500389dc

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.