-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Migration Toolkit for Applications security and bug fix update
Advisory ID:       RHSA-2023:2041-01
Product:           MTA
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2041
Issue date:        2023-04-27
CVE Names:         CVE-2021-4235 CVE-2022-1705 CVE-2022-2879 
                   CVE-2022-2880 CVE-2022-2995 CVE-2022-3162 
                   CVE-2022-3172 CVE-2022-3259 CVE-2022-3466 
                   CVE-2022-3782 CVE-2022-4304 CVE-2022-4450 
                   CVE-2022-27664 CVE-2022-30631 CVE-2022-31690 
                   CVE-2022-32148 CVE-2022-32189 CVE-2022-32190 
                   CVE-2022-41715 CVE-2022-41966 CVE-2022-46364 
                   CVE-2023-0215 CVE-2023-0286 CVE-2023-0361 
                   CVE-2023-0767 CVE-2023-23916 
=====================================================================

1. Summary:

Migration Toolkit for Applications 6.1.0 release

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Migration Toolkit for Applications 6.1.0 Images

Security Fix(es):

* keycloak: path traversal via double URL encoding (CVE-2022-3782)

* spring-security-oauth2-client: Privilege Escalation in
spring-security-oauth2-client (CVE-2022-31690)

* xstream: Denial of Service by injecting recursive collections or maps
based on element's hash values raising a stack overflow (CVE-2022-41966)

* Apache CXF: SSRF Vulnerability (CVE-2022-46364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
2162200 - CVE-2022-31690 spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow

5. JIRA issues fixed (https://issues.jboss.org/):

MTA-118 - Automated tagging of resources with Windup
MTA-123 - MTA crashes cluster nodes when running bulk binary analysis due to requests and limits not being configurable
MTA-129 - User field in Manage Import is empty
MTA-160 - [Upstream] Maven Repositories "No QueryClient set, use QueryClientProvider to set one"
MTA-204 - Every http request made to tagtypes returns HTTP Status 404
MTA-256 - Update application import template
MTA-260 - [Regression] Application import through OOTB import template fails
MTA-261 - [Regression] UI incorrectly reports target applications have in-progress/complete assessment
MTA-263 - [Regression] Discard assessment option present even when assessment is not complete
MTA-267 - Analysis EAP targets should include eap8
MTA-268 - RFE: Automated Tagging details to add on Review analysis details page
MTA-279 - All types of Source analysis is failing in MTA 6.1.0
MTA-28 - Success Alert is not displayed when subsequent analysis are submitted
MTA-282 - Discarding review results in 404 error
MTA-283 - Sorting broken on Application inventory page
MTA-284 - HTML reports download with no files in reports and stats folders
MTA-29 - Asterisk on Description while creating a credentials should be removed
MTA-297 - [Custom migration targets] Cannot upload JPG file as an icon
MTA-298 - [Custom migration targets] Unclear error when uploading image greater than 1Mb of size
MTA-299 - [RFE][Custom migration targets] Assign an icon: Add image max size in the note under the image name
MTA-300 - [Custom rules] Cannot upload more than one rules file
MTA-303 - [UI][Custom migration targets] The word "Please" should be removed from the error message about existing custom target name
MTA-304 - [Custom rules] Failed analysis when retrieving custom rules files from a repository
MTA-306 - MTA allows the uploading of multiple binaries for analysis
MTA-311 - MTA operator fails to reconcile on a clean (non-upgrade) install
MTA-314 - PVCs may not provision if storageClassName is not set.
MTA-330 - With auth disabled, 'username' seen in the persona dropdown
MTA-332 - Tagging: Few Tags are highlighted with color
MTA-34 - Cannot filter by Business Service when copying assessments
MTA-345 - [Custom migration targets] Error message "imageID must be defined" is displayed when uploading image 
MTA-35 - Only the first notification is displayed when discarding multiple copied assessments
MTA-350 - Maven Central links from the dependencies tab in reports seem to be broken
MTA-351 - AspectJ is not identified as an Open Source Library
MTA-356 - The inventory view has to be refreshed for the tags that were assigned by an analysis to appear
MTA-363 - [UI][Custom migration targets] "Repository type" field name is missing
MTA-364 - [Custom migration targets] Unknown image file when editing a custom migration target
MTA-366 - Tagging: For no tags attached "filter by" can be improved
MTA-367 - [Custom migration targets] Cannot use a custom migration target in analysis
MTA-369 - Custom migration targets: HTML elements are duplicated
MTA-375 - Run button does not execute the analysis
MTA-377 - [UI][Custom rules] Custom rules screen of the analysis configuration wizard is always marked as required
MTA-378 - [UI][Custom rules] Info message on the Custom rules screen is not updated
MTA-38 - Only the first notification is displayed when multiple files are imported.
MTA-381 - Custom Rules: When try to update Add rules the Error alert is displayed
MTA-382 - Custom Rules: Sometimes able to upload duplicate rules files
MTA-388 - CSV reports download empty when enabling the option after an analysis
MTA-389 - [Custom rules in Analysis] Failed analysis when retrieving custom rules files from a private repository
MTA-391 - [Custom rules in Analysis] Targets from uploaded rules file are not removed once the file is removed
MTA-392 - Unable to see all custom migration targets when using a vertical monitor
MTA-41 - [UI] Failed to refresh token if Keycloak feature "Use Refresh Tokens" is off
MTA-412 - Display alert message before reviewing an already reviewed application
MTA-428 - [Custom Rules] MTA analysis custom rules conflict message
MTA-430 - Analysis wizard: Next button should be enabled only after at least one target is selected
MTA-438 - Tagging: Retrieving tags needs a loading indicator
MTA-439 - [Regression][Custom rules] Failed to run analysis with custom rules from a repository 
MTA-443 - Custom rules: Add button can be disabled until duplicate rule file is removed
MTA-50 - RFE: Replace the MTA acronym in the title with "Migration Toolkit for Applications"
MTA-51 - RFE: " Select the list of packages to be analyzed manually" to modify the title
MTA-52 - [RFE] We can change "Not associated artifact" to "No associated artifact"
MTA-55 - Can't choose a custom rule via a file explorer(mac OS finder) in Tackle 2.0
MTA-78 - CVE-2022-46364 org.keycloak-keycloak-parent: Apache CXF: SSRF Vulnerability [mta-6.0]
MTA-99 - Unable to use root path during checking for maven dependencies

6. References:

https://access.redhat.com/security/cve/CVE-2021-4235
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-2879
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-2995
https://access.redhat.com/security/cve/CVE-2022-3162
https://access.redhat.com/security/cve/CVE-2022-3172
https://access.redhat.com/security/cve/CVE-2022-3259
https://access.redhat.com/security/cve/CVE-2022-3466
https://access.redhat.com/security/cve/CVE-2022-3782
https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-31690
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/cve/CVE-2022-32190
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-41966
https://access.redhat.com/security/cve/CVE-2022-46364
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-0767
https://access.redhat.com/security/cve/CVE-2023-23916
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZEoN2tzjgjWX9erEAQjXnBAAkmnEp2E4V5MqKE1ceN2bdJtHXjPUVaUI
bmdKlIdZ2gs+C5SvhiOPIoAXgFIME2EoyzKTcNavcqxw1SElOZ8lT9Be4JMBqvBy
sFR2vYd7mVlCbfKMpYGk9AO6sVs+ZxCDQVWZz69+5y+fZrCn/dUa9BmKC6rqOiCe
MKLXIfc0rYvFJzaD7jKYF7PhPbZN3yYnI03xTeSHVnrTemf+YeDgituvoljGjqXX
h9A5TPrEx+RF/bPL9Vyvcs256BK7Ys/vtGwaGLiIHlOF7KvRqiMwWoFGyDppFNU+
K+iAgQZMWyAzdPz729Q+Tp2yjojUrgzhliDpcHihjUMjqo46QJF+T7jSeBcwkSAi
zqhBllaAoZj4KTFXA+QzGyOMrx+74HZmjPALkQxbHL5jvDhOUX1S0+kG5cLldXW0
PA3X61KWtkUqD0FGAHBgo1ka2bGsYERPxR0mOKr9C+/05tJ/zkkW+UFYYI23uQD2
aEMJ/eiq47GOOPpyCOToLNclpG09TuhbBL3JfMWLznZIhFI77GXFGlzsTZzvamNq
GM/fvG8uJO1cSL7EtO1i5yODU5D3svF1fDcBdXSDLFiQAolwhttbqbLvdtQRpIby
53OPBb5XzisPvmKcvK9aDEuggRmjYDWlZO0P3U1RArxT7S83orLIWhl4TXL34Tp+
xa5WuwmXIXM=
=S/aL
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce