exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2023-2041-01

Red Hat Security Advisory 2023-2041-01
Posted Apr 27, 2023
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-2041-01 - Migration Toolkit for Applications 6.1.0 Images. Issues addressed include denial of service, privilege escalation, server-side request forgery, and traversal vulnerabilities.

tags | advisory, denial of service, vulnerability
systems | linux, redhat
advisories | CVE-2021-4235, CVE-2022-1705, CVE-2022-27664, CVE-2022-2879, CVE-2022-2880, CVE-2022-2995, CVE-2022-30631, CVE-2022-3162, CVE-2022-31690, CVE-2022-3172, CVE-2022-32148, CVE-2022-32189, CVE-2022-32190, CVE-2022-3259
SHA-256 | cdceaf94ffb5f08d7907643b99fcb01c885eb8b1a5f5162002e04ee9e67c6574

Red Hat Security Advisory 2023-2041-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Migration Toolkit for Applications security and bug fix update
Advisory ID: RHSA-2023:2041-01
Product: MTA
Advisory URL: https://access.redhat.com/errata/RHSA-2023:2041
Issue date: 2023-04-27
CVE Names: CVE-2021-4235 CVE-2022-1705 CVE-2022-2879
CVE-2022-2880 CVE-2022-2995 CVE-2022-3162
CVE-2022-3172 CVE-2022-3259 CVE-2022-3466
CVE-2022-3782 CVE-2022-4304 CVE-2022-4450
CVE-2022-27664 CVE-2022-30631 CVE-2022-31690
CVE-2022-32148 CVE-2022-32189 CVE-2022-32190
CVE-2022-41715 CVE-2022-41966 CVE-2022-46364
CVE-2023-0215 CVE-2023-0286 CVE-2023-0361
CVE-2023-0767 CVE-2023-23916
=====================================================================

1. Summary:

Migration Toolkit for Applications 6.1.0 release

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Migration Toolkit for Applications 6.1.0 Images

Security Fix(es):

* keycloak: path traversal via double URL encoding (CVE-2022-3782)

* spring-security-oauth2-client: Privilege Escalation in
spring-security-oauth2-client (CVE-2022-31690)

* xstream: Denial of Service by injecting recursive collections or maps
based on element's hash values raising a stack overflow (CVE-2022-41966)

* Apache CXF: SSRF Vulnerability (CVE-2022-46364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
2162200 - CVE-2022-31690 spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow

5. JIRA issues fixed (https://issues.jboss.org/):

MTA-118 - Automated tagging of resources with Windup
MTA-123 - MTA crashes cluster nodes when running bulk binary analysis due to requests and limits not being configurable
MTA-129 - User field in Manage Import is empty
MTA-160 - [Upstream] Maven Repositories "No QueryClient set, use QueryClientProvider to set one"
MTA-204 - Every http request made to tagtypes returns HTTP Status 404
MTA-256 - Update application import template
MTA-260 - [Regression] Application import through OOTB import template fails
MTA-261 - [Regression] UI incorrectly reports target applications have in-progress/complete assessment
MTA-263 - [Regression] Discard assessment option present even when assessment is not complete
MTA-267 - Analysis EAP targets should include eap8
MTA-268 - RFE: Automated Tagging details to add on Review analysis details page
MTA-279 - All types of Source analysis is failing in MTA 6.1.0
MTA-28 - Success Alert is not displayed when subsequent analysis are submitted
MTA-282 - Discarding review results in 404 error
MTA-283 - Sorting broken on Application inventory page
MTA-284 - HTML reports download with no files in reports and stats folders
MTA-29 - Asterisk on Description while creating a credentials should be removed
MTA-297 - [Custom migration targets] Cannot upload JPG file as an icon
MTA-298 - [Custom migration targets] Unclear error when uploading image greater than 1Mb of size
MTA-299 - [RFE][Custom migration targets] Assign an icon: Add image max size in the note under the image name
MTA-300 - [Custom rules] Cannot upload more than one rules file
MTA-303 - [UI][Custom migration targets] The word "Please" should be removed from the error message about existing custom target name
MTA-304 - [Custom rules] Failed analysis when retrieving custom rules files from a repository
MTA-306 - MTA allows the uploading of multiple binaries for analysis
MTA-311 - MTA operator fails to reconcile on a clean (non-upgrade) install
MTA-314 - PVCs may not provision if storageClassName is not set.
MTA-330 - With auth disabled, 'username' seen in the persona dropdown
MTA-332 - Tagging: Few Tags are highlighted with color
MTA-34 - Cannot filter by Business Service when copying assessments
MTA-345 - [Custom migration targets] Error message "imageID must be defined" is displayed when uploading image
MTA-35 - Only the first notification is displayed when discarding multiple copied assessments
MTA-350 - Maven Central links from the dependencies tab in reports seem to be broken
MTA-351 - AspectJ is not identified as an Open Source Library
MTA-356 - The inventory view has to be refreshed for the tags that were assigned by an analysis to appear
MTA-363 - [UI][Custom migration targets] "Repository type" field name is missing
MTA-364 - [Custom migration targets] Unknown image file when editing a custom migration target
MTA-366 - Tagging: For no tags attached "filter by" can be improved
MTA-367 - [Custom migration targets] Cannot use a custom migration target in analysis
MTA-369 - Custom migration targets: HTML elements are duplicated
MTA-375 - Run button does not execute the analysis
MTA-377 - [UI][Custom rules] Custom rules screen of the analysis configuration wizard is always marked as required
MTA-378 - [UI][Custom rules] Info message on the Custom rules screen is not updated
MTA-38 - Only the first notification is displayed when multiple files are imported.
MTA-381 - Custom Rules: When try to update Add rules the Error alert is displayed
MTA-382 - Custom Rules: Sometimes able to upload duplicate rules files
MTA-388 - CSV reports download empty when enabling the option after an analysis
MTA-389 - [Custom rules in Analysis] Failed analysis when retrieving custom rules files from a private repository
MTA-391 - [Custom rules in Analysis] Targets from uploaded rules file are not removed once the file is removed
MTA-392 - Unable to see all custom migration targets when using a vertical monitor
MTA-41 - [UI] Failed to refresh token if Keycloak feature "Use Refresh Tokens" is off
MTA-412 - Display alert message before reviewing an already reviewed application
MTA-428 - [Custom Rules] MTA analysis custom rules conflict message
MTA-430 - Analysis wizard: Next button should be enabled only after at least one target is selected
MTA-438 - Tagging: Retrieving tags needs a loading indicator
MTA-439 - [Regression][Custom rules] Failed to run analysis with custom rules from a repository
MTA-443 - Custom rules: Add button can be disabled until duplicate rule file is removed
MTA-50 - RFE: Replace the MTA acronym in the title with "Migration Toolkit for Applications"
MTA-51 - RFE: " Select the list of packages to be analyzed manually" to modify the title
MTA-52 - [RFE] We can change "Not associated artifact" to "No associated artifact"
MTA-55 - Can't choose a custom rule via a file explorer(mac OS finder) in Tackle 2.0
MTA-78 - CVE-2022-46364 org.keycloak-keycloak-parent: Apache CXF: SSRF Vulnerability [mta-6.0]
MTA-99 - Unable to use root path during checking for maven dependencies

6. References:

https://access.redhat.com/security/cve/CVE-2021-4235
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-2879
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-2995
https://access.redhat.com/security/cve/CVE-2022-3162
https://access.redhat.com/security/cve/CVE-2022-3172
https://access.redhat.com/security/cve/CVE-2022-3259
https://access.redhat.com/security/cve/CVE-2022-3466
https://access.redhat.com/security/cve/CVE-2022-3782
https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-31690
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/cve/CVE-2022-32190
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-41966
https://access.redhat.com/security/cve/CVE-2022-46364
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-0767
https://access.redhat.com/security/cve/CVE-2023-23916
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZEoN2tzjgjWX9erEAQjXnBAAkmnEp2E4V5MqKE1ceN2bdJtHXjPUVaUI
bmdKlIdZ2gs+C5SvhiOPIoAXgFIME2EoyzKTcNavcqxw1SElOZ8lT9Be4JMBqvBy
sFR2vYd7mVlCbfKMpYGk9AO6sVs+ZxCDQVWZz69+5y+fZrCn/dUa9BmKC6rqOiCe
MKLXIfc0rYvFJzaD7jKYF7PhPbZN3yYnI03xTeSHVnrTemf+YeDgituvoljGjqXX
h9A5TPrEx+RF/bPL9Vyvcs256BK7Ys/vtGwaGLiIHlOF7KvRqiMwWoFGyDppFNU+
K+iAgQZMWyAzdPz729Q+Tp2yjojUrgzhliDpcHihjUMjqo46QJF+T7jSeBcwkSAi
zqhBllaAoZj4KTFXA+QzGyOMrx+74HZmjPALkQxbHL5jvDhOUX1S0+kG5cLldXW0
PA3X61KWtkUqD0FGAHBgo1ka2bGsYERPxR0mOKr9C+/05tJ/zkkW+UFYYI23uQD2
aEMJ/eiq47GOOPpyCOToLNclpG09TuhbBL3JfMWLznZIhFI77GXFGlzsTZzvamNq
GM/fvG8uJO1cSL7EtO1i5yODU5D3svF1fDcBdXSDLFiQAolwhttbqbLvdtQRpIby
53OPBb5XzisPvmKcvK9aDEuggRmjYDWlZO0P3U1RArxT7S83orLIWhl4TXL34Tp+
xa5WuwmXIXM=
=S/aL
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close