Red Hat Product Errata RHSA-2025:8510 - Security Advisory
Issued:
2025-06-04
Updated:
2025-06-04

RHSA-2025:8510 - Security Advisory

Synopsis

Important: Migration Toolkit for Containers (MTC) 1.8.7 security and bug fix update

Type/Severity

Security Advisory: Important

Topic

The Migration Toolkit for Containers (MTC) 1.8.7 is now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.

Security Fix(es) from Bugzilla:

  • golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html (CVE-2024-45338)
  • golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws (CVE-2025-22868)
  • golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing (CVE-2025-30204)
  • http-proxy-middleware: Denial of Service (CVE-2024-21536)
  • cross-spawn: regular expression denial of service (CVE-2024-21538)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Migration Toolkit 1 for RHEL 8 x86_64

Fixes

  • BZ - 2319884 - CVE-2024-21536 http-proxy-middleware: Denial of Service
  • BZ - 2324550 - CVE-2024-21538 cross-spawn: regular expression denial of service
  • BZ - 2333122 - CVE-2024-45338 golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html
  • BZ - 2348366 - CVE-2025-22868 golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws
  • BZ - 2354195 - CVE-2025-30204 golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing
  • MIG-1733 - Revert multiple migration plans per namespace
  • MIG-1735 - MTC migration stuck in ?Prepare? phase on OpenShift 4.19 due to incompatible OADP version and outdated DPA spec
  • MIG-1738 - Velero backup fails with file already closed error when using new AWS plugin in MTC

x86_64

rhmtc/openshift-migration-controller-rhel8@sha256:0c83726f520790b68fba4926299c9a8327d2316d8d0aff472b64aad586a7a39a
rhmtc/openshift-migration-hook-runner-rhel8@sha256:e58aec84cb80cd57ef37038e83ca60113c8cb7998923806decd901355db06900
rhmtc/openshift-migration-log-reader-rhel8@sha256:2b887879f51ba42555bc166e2b5e44265a8ecce87d35ffe698054bd8394c5923
rhmtc/openshift-migration-must-gather-rhel8@sha256:e63f4262e1a95f5913a812437ec9bf25aa8903e8c41574b6f7b69b8f8bc850ad
rhmtc/openshift-migration-openvpn-rhel8@sha256:68aab51a9d9bf099124738d9e7506b357e0f194924f34dded268c2027e9e4dc5
rhmtc/openshift-migration-operator-bundle@sha256:6611752875c270468d29fc6ff63c6d66aaa2675c0e524937180ff8ee93215b4b
rhmtc/openshift-migration-registry-rhel8@sha256:bedabe364c8eef1627a9eb6f96737448df680ab090cecfdcfe20af90dac5240d
rhmtc/openshift-migration-rhel8-operator@sha256:6761863f92e894c1c0b019d4a640bfc872c6dcebcf18ce1abbe83691cae45a1d
rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:f64466725f6a76d47c191bbe50c7526add0774b04bccb9dabd8166c01e992123
rhmtc/openshift-migration-ui-rhel8@sha256:596f8ae61f2bb56e19e5e03bf7d114ff0607a7f381d6177b3cc0df2cfdcf1e58
rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:9a0002e60e5115d60cdaa09b852aca0ceaa704b35a864695afb384694bbf9d42

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.