Red Hat Product Errata RHSA-2024:7164 - Security Advisory
Issued:
2024-09-26
Updated:
2024-09-26

RHSA-2024:7164 - Security Advisory

Synopsis

Important: Migration Toolkit for Containers (MTC) 1.8.4 security and bug fix update

Type/Severity

Security Advisory: Important

Topic

The Migration Toolkit for Containers (MTC) 1.8.4 is now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.

Security Fix(es) from Bugzilla:

  • golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)
  • webpack-dev-middleware: lack of URL validation may lead to file leak (CVE-2024-29180)
  • express: cause malformed URLs to be evaluated (CVE-2024-29041)
  • axios: axios: Server-Side Request Forgery (CVE-2024-39338)
  • golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (CVE-2023-45289)
  • jose-go: improper handling of highly compressed data (CVE-2024-28180)
  • follow-redirects: Possible credential leak (CVE-2024-28849)
  • moby: external DNS requests from 'internal' networks could lead to data exfiltration (CVE-2024-29018)
  • containers/image: digest type does not guarantee valid type (CVE-2024-3727)
  • golang: net: malformed DNS message can cause infinite loop (CVE-2024-24788)
  • braces: fails to limit the number of characters it can handle (CVE-2024-4068)
  • node-tar: denial of service while parsing a tar file due to lack of folders depth validation (CVE-2024-28863)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Migration Toolkit 1 for RHEL 8 x86_64

Fixes

  • BZ - 2268018 - CVE-2023-45289 golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
  • BZ - 2268273 - CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
  • BZ - 2268854 - CVE-2024-28180 jose-go: improper handling of highly compressed data
  • BZ - 2269576 - CVE-2024-28849 follow-redirects: Possible credential leak
  • BZ - 2270591 - CVE-2024-29018 moby: external DNS requests from 'internal' networks could lead to data exfiltration
  • BZ - 2270863 - CVE-2024-29180 webpack-dev-middleware: lack of URL validation may lead to file leak
  • BZ - 2274767 - CVE-2024-3727 containers/image: digest type does not guarantee valid type
  • BZ - 2279814 - CVE-2024-24788 golang: net: malformed DNS message can cause infinite loop
  • BZ - 2280600 - CVE-2024-4068 braces: fails to limit the number of characters it can handle
  • BZ - 2290901 - CVE-2024-29041 express: cause malformed URLs to be evaluated
  • BZ - 2293200 - CVE-2024-28863 node-tar: denial of service while parsing a tar file due to lack of folders depth validation
  • BZ - 2295302 - CVE-2019-25211 github.com/gin-contrib/cors: Gin mishandles a wildcard in the origin string in github.com/gin-contrib/cors
  • BZ - 2299624 - MigClusters showing wrong operator version in UI
  • BZ - 2299625 - UI stuck at "Namespaces" while creating a migplan
  • BZ - 2299628 - Migration stuck as DirectVolumeMigration fails with "InvalidPVCs" error
  • BZ - 2299668 - Migration fails with error: no matches for kind "Virtual machine" in version "kubevirt/v1"
  • MIG-1593 - MigClusters showing wrong operator version in UI
  • MIG-1592 - DVM fails when migrating to a namespace different from the source namespace
  • MIG-1598 - Rollback after a migration gets stuck at Quiescing step
  • MIG-1610 - Rollback performed after a failed migration fails at RollbackLiveMigration step

x86_64

rhmtc/openshift-migration-controller-rhel8@sha256:a4025dfcd79bcb22e2ab91e1bc027c200f9c2741ed2c3a576a64cb24084c584e
rhmtc/openshift-migration-hook-runner-rhel8@sha256:419c11ecd25664d16f77aec6589c9fa183832947766f75575dfab4bc059fe876
rhmtc/openshift-migration-log-reader-rhel8@sha256:6886c4d68d7c6100b5eb7239ae8ce14871403a71ce69b35c42c0ce238b32ff87
rhmtc/openshift-migration-must-gather-rhel8@sha256:08bb8048bb9fc00ba84e846fce7ce3e37506fbadf077b487c1d3d2dd607b2277
rhmtc/openshift-migration-openvpn-rhel8@sha256:1e0cf80fab89615624cf7f9f62e72e161af4143ed1d6245db45f09ba8382dbc4
rhmtc/openshift-migration-operator-bundle@sha256:9616b52c1d745b7bf37c0237a6cd2cde9a1d9e8dbfdb5e5cb49504805e706065
rhmtc/openshift-migration-registry-rhel8@sha256:c7f229ac51306d667f9b766fb1a464686fa47eb06d5658dbe4977e25b4877b20
rhmtc/openshift-migration-rhel8-operator@sha256:79c957509adaff575917d1e70ec25965a4230c0a2deb9cd9007089dfc3ec39cc
rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:b556472a46fbac2508b8f36b975c8fdb26a77a2fc8bd43b2667f9151bf1cbc3f
rhmtc/openshift-migration-ui-rhel8@sha256:db4903f395697e2eb244a0251ec1a5f89b12434501cb56889f2af37770f95f58
rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:8765eb907963a6677c1af44dee1168d635d243824396f73c829697b1582046e9

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.