what you don't know can hurt you

Red Hat Security Advisory 2021-3361-01

Red Hat Security Advisory 2021-3361-01
Posted Aug 31, 2021
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2021-3361-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a memory exhaustion vulnerability.

tags | advisory, web
systems | linux, redhat
advisories | CVE-2021-20271, CVE-2021-21419, CVE-2021-21623, CVE-2021-21639, CVE-2021-21640, CVE-2021-21648, CVE-2021-22543, CVE-2021-22555, CVE-2021-22918, CVE-2021-25735, CVE-2021-25737, CVE-2021-27218, CVE-2021-3114, CVE-2021-3121, CVE-2021-33195, CVE-2021-33196, CVE-2021-33197, CVE-2021-33198, CVE-2021-34558, CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3520, CVE-2021-3537, CVE-2021-3541, CVE-2021-3609, CVE-2021-3636
MD5 | e40da272fb5c5a49d3bf9b9ae2c47e22

Red Hat Security Advisory 2021-3361-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Migration Toolkit for Containers (MTC) 1.5.1 security and bug fix update
Advisory ID: RHSA-2021:3361-01
Product: Red Hat Migration Toolkit
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3361
Issue date: 2021-08-31
CVE Names: CVE-2021-3114 CVE-2021-3121 CVE-2021-3516
CVE-2021-3517 CVE-2021-3518 CVE-2021-3520
CVE-2021-3537 CVE-2021-3541 CVE-2021-3609
CVE-2021-3636 CVE-2021-20271 CVE-2021-21419
CVE-2021-21623 CVE-2021-21639 CVE-2021-21640
CVE-2021-21648 CVE-2021-22543 CVE-2021-22555
CVE-2021-22918 CVE-2021-25735 CVE-2021-25737
CVE-2021-27218 CVE-2021-33195 CVE-2021-33196
CVE-2021-33197 CVE-2021-33198 CVE-2021-34558
=====================================================================

1. Summary:

An update is now available for the Migration Toolkit for Containers (MTC)
1.5.1.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security fixes:

* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)
* golang: archive/zip: malformed archive may cause panic or memory
exhaustion (CVE-2021-33196)
* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)
* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/4.8/migration-toolkit-for-con
tainers/installing-mtc.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1965503 - CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memory exhaustion
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1996125 - When "None" is selected as the target storage class in the web console, the setting is ignored and the default storage class is used

5. References:

https://access.redhat.com/security/cve/CVE-2021-3114
https://access.redhat.com/security/cve/CVE-2021-3121
https://access.redhat.com/security/cve/CVE-2021-3516
https://access.redhat.com/security/cve/CVE-2021-3517
https://access.redhat.com/security/cve/CVE-2021-3518
https://access.redhat.com/security/cve/CVE-2021-3520
https://access.redhat.com/security/cve/CVE-2021-3537
https://access.redhat.com/security/cve/CVE-2021-3541
https://access.redhat.com/security/cve/CVE-2021-3609
https://access.redhat.com/security/cve/CVE-2021-3636
https://access.redhat.com/security/cve/CVE-2021-20271
https://access.redhat.com/security/cve/CVE-2021-21419
https://access.redhat.com/security/cve/CVE-2021-21623
https://access.redhat.com/security/cve/CVE-2021-21639
https://access.redhat.com/security/cve/CVE-2021-21640
https://access.redhat.com/security/cve/CVE-2021-21648
https://access.redhat.com/security/cve/CVE-2021-22543
https://access.redhat.com/security/cve/CVE-2021-22555
https://access.redhat.com/security/cve/CVE-2021-22918
https://access.redhat.com/security/cve/CVE-2021-25735
https://access.redhat.com/security/cve/CVE-2021-25737
https://access.redhat.com/security/cve/CVE-2021-27218
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33196
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYS3kjtzjgjWX9erEAQgl5Q//an23DVsAMO6BG0gVH2sjX0xVXmHfQv3N
9IcJ5qlizvL+RY9GQ2fTL2OKg5mBfNIXsN+5R2O4Km2M+Y/XlBSsfKmC219/dAB6
Jswi0bBYdX/P/XmF3Cj7g3bHpgLfQT0V/rHezfE1lfCtpDkQp6kcyp0XT3uh+EgG
TEgc1pIl+Gk0Em/qGBgx/4xysaPfm9L2CVCHiuBJRcWHagRbjUCB8f6IqQblrzcb
fz/oz0/4oO5/ezBkerkuk9PH2qEQ3EakF+TLHgsNo1aDgt3iGJxfVSTqERXpuB8I
c2FsN66UVm8ElZcft23YiKsEgTHhYoFDVQ6NX95SdvPN6U2soK7XAYHoBxCbw9b9
9Zh+fQDS7x/ZX03S8AB5ymrdSAY28e4Obe8EZTn8Jf1sED8Kk/wodEKt5t5Jh3Ae
lDae94qHq2RdlRrRreRPr1CrIRf5IoqXQCKQoei/QCIZvsslIB6F1vDEgj9JRMI4
HPzrIqzB4PQhOd45vamAC+bkAMqdTCxK48M90CQSu7Gd9EEfzAbkYa5B3LGYWeOX
NVg/gGJotQVR8KCVLDbC1zZ7TDsJ81R/p+m59JDePQl1I5y44Ti9lSmmELAmAy+l
5fAR7auEha8qJgpQUenXdvcF3DAnaBBgKMtcGJfzc7RZNtciHa3AzESIyPEL35Z3
MHQhvRoUNC4=
=Hvey
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    28 Files
  • 23
    Sep 23rd
    13 Files
  • 24
    Sep 24th
    10 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close