what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2022-9047-01

Red Hat Security Advisory 2022-9047-01
Posted Dec 15, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-9047-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.

tags | advisory, web
systems | linux, redhat
advisories | CVE-2016-3709, CVE-2020-28851, CVE-2020-28852, CVE-2020-35525, CVE-2020-35527, CVE-2022-0561, CVE-2022-0562, CVE-2022-0865, CVE-2022-0891, CVE-2022-0908, CVE-2022-0909, CVE-2022-0924, CVE-2022-1122, CVE-2022-1304
SHA-256 | 58d1307f76e7139a63f6f7c8afd46290dea17ded1afee0e63040db0d909d0384

Red Hat Security Advisory 2022-9047-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Migration Toolkit for Containers (MTC) 1.7.6 security and bug fix update
Advisory ID: RHSA-2022:9047-01
Product: Red Hat Migration Toolkit
Advisory URL: https://access.redhat.com/errata/RHSA-2022:9047
Issue date: 2022-12-15
CVE Names: CVE-2016-3709 CVE-2020-28851 CVE-2020-28852
CVE-2020-35525 CVE-2020-35527 CVE-2022-0561
CVE-2022-0562 CVE-2022-0865 CVE-2022-0891
CVE-2022-0908 CVE-2022-0909 CVE-2022-0924
CVE-2022-1122 CVE-2022-1304 CVE-2022-1355
CVE-2022-1705 CVE-2022-1962 CVE-2022-2509
CVE-2022-3515 CVE-2022-22624 CVE-2022-22628
CVE-2022-22629 CVE-2022-22662 CVE-2022-22844
CVE-2022-25308 CVE-2022-25309 CVE-2022-25310
CVE-2022-26700 CVE-2022-26709 CVE-2022-26710
CVE-2022-26716 CVE-2022-26717 CVE-2022-26719
CVE-2022-27404 CVE-2022-27405 CVE-2022-27406
CVE-2022-27664 CVE-2022-28131 CVE-2022-30293
CVE-2022-30629 CVE-2022-30630 CVE-2022-30632
CVE-2022-30633 CVE-2022-30635 CVE-2022-32148
CVE-2022-32189 CVE-2022-37434 CVE-2022-42898
====================================================================
1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.6 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es) from Bugzilla:

* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)

* golang: go/parser: stack exhaustion in all Parse* functions
(CVE-2022-1962)

* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)

* golang: crypto/tls: session tickets lack random ticket_age_add
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
2132957 - Migration fails at UnQuiesceDestApplications step in OCP 4.12
2137304 - Location for host cluster is missing in the UI
2140208 - When editing a MigHook in the UI, the page may fail to reload
2143628 - Unable to create Storage Class Conversion plan due to missing cronjob error in OCP 4.12
2143872 - Namespaces page in web console stuck in loading phase
2149920 - Migration fails at prebackupHooks step

5. JIRA issues fixed (https://issues.jboss.org/):

MIG-1240 - Implement proposed changes for DVM support with PSAs in 4.12

6. References:

https://access.redhat.com/security/cve/CVE-2016-3709
https://access.redhat.com/security/cve/CVE-2020-28851
https://access.redhat.com/security/cve/CVE-2020-28852
https://access.redhat.com/security/cve/CVE-2020-35525
https://access.redhat.com/security/cve/CVE-2020-35527
https://access.redhat.com/security/cve/CVE-2022-0561
https://access.redhat.com/security/cve/CVE-2022-0562
https://access.redhat.com/security/cve/CVE-2022-0865
https://access.redhat.com/security/cve/CVE-2022-0891
https://access.redhat.com/security/cve/CVE-2022-0908
https://access.redhat.com/security/cve/CVE-2022-0909
https://access.redhat.com/security/cve/CVE-2022-0924
https://access.redhat.com/security/cve/CVE-2022-1122
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-1355
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-2509
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/cve/CVE-2022-22624
https://access.redhat.com/security/cve/CVE-2022-22628
https://access.redhat.com/security/cve/CVE-2022-22629
https://access.redhat.com/security/cve/CVE-2022-22662
https://access.redhat.com/security/cve/CVE-2022-22844
https://access.redhat.com/security/cve/CVE-2022-25308
https://access.redhat.com/security/cve/CVE-2022-25309
https://access.redhat.com/security/cve/CVE-2022-25310
https://access.redhat.com/security/cve/CVE-2022-26700
https://access.redhat.com/security/cve/CVE-2022-26709
https://access.redhat.com/security/cve/CVE-2022-26710
https://access.redhat.com/security/cve/CVE-2022-26716
https://access.redhat.com/security/cve/CVE-2022-26717
https://access.redhat.com/security/cve/CVE-2022-26719
https://access.redhat.com/security/cve/CVE-2022-27404
https://access.redhat.com/security/cve/CVE-2022-27405
https://access.redhat.com/security/cve/CVE-2022-27406
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-30293
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY5qjzdzjgjWX9erEAQjjjA//es5rXZ2qQwQJekrx32tlQ+R2v2BO0jKJ
EIKiMSoPFOotf2TPCnn60CHUGhBs/RkjtqYFIvKW+pMBioRkaqPc8yDCraOGszrH
pAYPI6+lTAfr0YjPJmA9aP5c0tAspHCVISi7+cuIDPTWUPnKtiH9XA8z5WCjWY4H
v2gfULxXtSy2gkG+ezS3xXjrkEvqo33sXhar9baoG3ILfStpNwIrQ3Qt55gYM1yh
y0HxxSjuqpgGFUiSN2wJuox60xA9hFA4B/YVfhzvKs9JFW454tNSns1V+89MSKsF
NIMtuLOpbYe0OT3YsgP2qA1rRwY/HVzV/ewNM9ATQIBPgfXlDt4A3KBhfcSB/xSm
RnERhgp6PJmNU/t1wufhhOD/IfO55v6DKDHf1xZu8Q3NxhZ3ucXxLSrb17q0zOkp
LngN8f0RYzXUNWOapCK+QPAXyhvUYkHi8VFxBbCgF48N00as6IpaK6hgYR9D+mCm
WdljOEZR2CaNhnzU51vutM5T2J/B8S/CA8SYG/ndoyS+fwFkEDv+Ncmg+0Amtu6s
pIhCdvxK6r9+Gh0qbKeT4ALnmUjowQ8+nVTP0GzDWR3InF/YWGOfWi+Q1moUZXND
7Hj1kp46KXlTzPbLKr54RPq98CT8wqPR1IZ7VKD+M5xTYWTlO+uED6TBxRBmrKrL
O33JZ0TnfDw=cTlF
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close