Red Hat Product Errata RHSA-2024:3919 - Security Advisory
Issued:
2024-06-13
Updated:
2024-06-13

RHSA-2024:3919 - Security Advisory

Synopsis

Important: Migration Toolkit for Runtimes security, bug fix and enhancement update

Type/Severity

Security Advisory: Important

Topic

Migration Toolkit for Runtimes 1.2.6 release
Red Hat Product Security has rated this update as having a security impact of Important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Migration Toolkit for Runtimes 1.2.6 Images

Security Fix(es):

  • undertow: Cookie Smuggling/Spoofing (CVE-2023-4639)
  • jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)
  • css-tools: Improper Input Validation causes Denial of Service via Regular Expression (CVE-2023-26364)
  • css-tools: regular expression denial of service (ReDoS) when parsing CSS (CVE-2023-48631)
  • keycloak: path transversal in redirection validation (CVE-2024-1132)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Install the latest version of the Migration Toolkit for Runtimes from the Red Hat catalog in the OperatorHub page within your OpenShift instance.

Affected Products

  • Red Hat Migration Toolkit for Runtimes Advisory Metadata x86_64

Fixes

  • BZ - 2166022 - CVE-2023-4639 undertow: Cookie Smuggling/Spoofing
  • BZ - 2239630 - CVE-2023-36479 jetty: Improper addition of quotation marks to user inputs in CgiServlet
  • BZ - 2250364 - CVE-2023-26364 css-tools: Improper Input Validation causes Denial of Service via Regular Expression
  • BZ - 2254559 - CVE-2023-48631 css-tools: regular expression denial of service (ReDoS) when parsing CSS
  • BZ - 2262117 - CVE-2024-1132 keycloak: path transversal in redirection validation

aarch64

mtr/mtr-operator-bundle@sha256:cde45cc88b03ad57956677aa2191fcf114c0cf4986ddded7ac4f4f0aa65c5c83
mtr/mtr-rhel8-operator@sha256:0f129deb43182cb4979c40abaa5f7976531f054ef9c3ad03ebee710507744dd9
mtr/mtr-web-executor-container-rhel8@sha256:dabf02f1c9d0d15959a7e49ba34d45e0399849207f0ce0ddead80ae44b06a608

ppc64le

mtr/mtr-operator-bundle@sha256:edde2c2b6191bf2b882e4ce5c97c1703dc42c2141af4476126e11f817910be0c
mtr/mtr-rhel8-operator@sha256:bc37d362d2ff0bad08e34aef2692e7af7b2529285822fe6262f66f1c885a56a4
mtr/mtr-web-container-rhel8@sha256:8aa060cb2b0fe2409fa8aa0030bd1841035d5e29c39fb699b68719109141f4bb
mtr/mtr-web-executor-container-rhel8@sha256:18ff92e2ec54ff45c233749f66a98f17dfcca533eda934f30c33d42aa3e8b46b

s390x

mtr/mtr-operator-bundle@sha256:90d510486ed7e458b1eb16b5daf395c1b34bd6ddfb3333f41cb20bbc898ad36d
mtr/mtr-rhel8-operator@sha256:c7e15b0a37ac68d66e56e98c447d5166ed4dcd26a015fc85429698327b9a8ecf
mtr/mtr-web-container-rhel8@sha256:7899a343fec790b2cdc475983f4bcb2afa5025b7a87e0752d68895b75b3c43ff
mtr/mtr-web-executor-container-rhel8@sha256:94b5ea42b3f8d462a5c4e67f73ff2981c3a5616c69d92a266d5dd2cc0f84cc77

x86_64

mtr/mtr-operator-bundle@sha256:2c132bd429d741bcb1a36895f65dadc37450c647fc0861136710727bb69bc5d1
mtr/mtr-rhel8-operator@sha256:8169013d1c2cac270421288b83d0f3537bcd5d1bafedb408e24ce85316a5c4c0
mtr/mtr-web-container-rhel8@sha256:7788242640825875824a2f9565288b8284e560415c595b1503d116990018a44e
mtr/mtr-web-executor-container-rhel8@sha256:b68eadce9000dd5d4bf452dccf0c6ef795aacbd47cd57a2b7bde78eb38695506

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.