-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Moderate: Migration Toolkit for Containers (MTC) 1.7.2 security and bug fix update
Advisory ID:       RHSA-2022:5483-01
Product:           Red Hat Migration Toolkit
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5483
Issue date:        2022-07-01
CVE Names:         CVE-2018-25032 CVE-2020-0404 CVE-2020-4788
                   CVE-2020-13974 CVE-2020-19131 CVE-2020-27820
                   CVE-2020-35492 CVE-2021-0941 CVE-2021-3612
                   CVE-2021-3634 CVE-2021-3669 CVE-2021-3737
                   CVE-2021-3743 CVE-2021-3744 CVE-2021-3752
                   CVE-2021-3759 CVE-2021-3764 CVE-2021-3772
                   CVE-2021-3773 CVE-2021-3807 CVE-2021-4002
                   CVE-2021-4037 CVE-2021-4083 CVE-2021-4157
                   CVE-2021-4189 CVE-2021-4197 CVE-2021-4203
                   CVE-2021-20322 CVE-2021-21781 CVE-2021-26401
                   CVE-2021-29154 CVE-2021-37159 CVE-2021-41617
                   CVE-2021-41864 CVE-2021-42739 CVE-2021-43056
                   CVE-2021-43389 CVE-2021-43976 CVE-2021-44733
                   CVE-2021-45485 CVE-2021-45486 CVE-2022-0001
                   CVE-2022-0002 CVE-2022-0235 CVE-2022-0286
                   CVE-2022-0322 CVE-2022-0536 CVE-2022-1011
                   CVE-2022-1154 CVE-2022-1271 CVE-2022-23852
                   CVE-2022-26691
====================================================================
1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.2 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es) from Bugzilla:

* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching
ANSI escape codes (CVE-2021-3807)

* node-fetch: exposure of sensitive information to an unauthorized actor
(CVE-2022-0235)

* follow-redirects: Exposure of Sensitive Information via Authorization
Header leak (CVE-2022-0536)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
2038898 - [UI] ?Update Repository? option not getting disabled after adding the Replication Repository details to the MTC web console
2040693 - ?Replication repository? wizard has no validation for name length
2040695 - [MTC UI] ?Add Cluster? wizard stucks when the cluster name length is more than 63 characters
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2048537 - Exposed route host to image registry? connecting successfully to invalid registry ?xyz.com?
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
2055658 - [MTC UI] Cancel button on ?Migrations? page does not disappear when migration gets Failed/Succeeded with warnings
2056962 - [MTC UI] UI shows the wrong migration type info after changing the target namespace
2058172 - [MTC UI] Successful Rollback is not showing the green success icon in the ?Last State? field.
2058529 - [MTC UI] Migrations Plan is missing the type for the state migration performed before upgrade
2061335 - [MTC UI] ?Update cluster? button is not getting disabled
2062266 - MTC UI does not display logs properly [OADP-BL]
2062862 - [MTC UI] Clusters page behaving unexpectedly on deleting the remote cluster?s service account secret from backend
2074675 - HPAs of DeploymentConfigs are not being updated when migration from Openshift 3.x to Openshift 4.x
2076593 - Velero pod log missing from UI  drop down
2076599 - Velero pod log missing from downloaded logs folder [OADP-BL]
2078459 - [MTC UI] Storageclass conversion plan is adding migstorage reference in migplan
2079252 - [MTC]  Rsync options logs not visible in log-reader pod
2082221 - Don't allow Storage class conversion migration if source cluster has only one storage class defined [UI]
2082225 - non-numeric user when launching stage pods [OADP-BL]
2088022 - Default CPU requests on Velero/Restic are too demanding making scheduling fail in certain environments
2088026 - Cloud propagation phase in migration controller is not doing anything due to missing labels on Velero pods
2089126 - [MTC] Migration controller cannot find Velero Pod because of wrong labels
2089411 - [MTC] Log reader pod is missing velero and restic pod logs [OADP-BL]
2089859 - [Crane] DPA CR is missing the required flag - Migration is getting failed at the EnsureCloudSecretPropagated phase due to the missing secret VolumeMounts
2090317 - [MTC] mig-operator failed to create a DPA CR due to null values are passed instead of int [OADP-BL]
2096939 - Fix legacy operator.yml inconsistencies and errors
2100486 - [MTC UI] Target storage class field is not getting respected when clusters don't have replication repo configured.

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2020-0404
https://access.redhat.com/security/cve/CVE-2020-4788
https://access.redhat.com/security/cve/CVE-2020-13974
https://access.redhat.com/security/cve/CVE-2020-19131
https://access.redhat.com/security/cve/CVE-2020-27820
https://access.redhat.com/security/cve/CVE-2020-35492
https://access.redhat.com/security/cve/CVE-2021-0941
https://access.redhat.com/security/cve/CVE-2021-3612
https://access.redhat.com/security/cve/CVE-2021-3634
https://access.redhat.com/security/cve/CVE-2021-3669
https://access.redhat.com/security/cve/CVE-2021-3737
https://access.redhat.com/security/cve/CVE-2021-3743
https://access.redhat.com/security/cve/CVE-2021-3744
https://access.redhat.com/security/cve/CVE-2021-3752
https://access.redhat.com/security/cve/CVE-2021-3759
https://access.redhat.com/security/cve/CVE-2021-3764
https://access.redhat.com/security/cve/CVE-2021-3772
https://access.redhat.com/security/cve/CVE-2021-3773
https://access.redhat.com/security/cve/CVE-2021-3807
https://access.redhat.com/security/cve/CVE-2021-4002
https://access.redhat.com/security/cve/CVE-2021-4037
https://access.redhat.com/security/cve/CVE-2021-4083
https://access.redhat.com/security/cve/CVE-2021-4157
https://access.redhat.com/security/cve/CVE-2021-4189
https://access.redhat.com/security/cve/CVE-2021-4197
https://access.redhat.com/security/cve/CVE-2021-4203
https://access.redhat.com/security/cve/CVE-2021-20322
https://access.redhat.com/security/cve/CVE-2021-21781
https://access.redhat.com/security/cve/CVE-2021-26401
https://access.redhat.com/security/cve/CVE-2021-29154
https://access.redhat.com/security/cve/CVE-2021-37159
https://access.redhat.com/security/cve/CVE-2021-41617
https://access.redhat.com/security/cve/CVE-2021-41864
https://access.redhat.com/security/cve/CVE-2021-42739
https://access.redhat.com/security/cve/CVE-2021-43056
https://access.redhat.com/security/cve/CVE-2021-43389
https://access.redhat.com/security/cve/CVE-2021-43976
https://access.redhat.com/security/cve/CVE-2021-44733
https://access.redhat.com/security/cve/CVE-2021-45485
https://access.redhat.com/security/cve/CVE-2021-45486
https://access.redhat.com/security/cve/CVE-2022-0001
https://access.redhat.com/security/cve/CVE-2022-0002
https://access.redhat.com/security/cve/CVE-2022-0235
https://access.redhat.com/security/cve/CVE-2022-0286
https://access.redhat.com/security/cve/CVE-2022-0322
https://access.redhat.com/security/cve/CVE-2022-0536
https://access.redhat.com/security/cve/CVE-2022-1011
https://access.redhat.com/security/cve/CVE-2022-1154
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-23852
https://access.redhat.com/security/cve/CVE-2022-26691
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYr7qBNzjgjWX9erEAQgugw//ZP+OR2wysl+DmxNE9P5ri+kd/NBxdBKg
C6vlBpczeXUvPLEFp03wuoBoagTRfib6xjrKdc8+joCQv6UFYcO1kjqZqgcZgBeu
xJ6y7IzygYwK+nIoN3MP9YTYrejkwe7iaQnC3vLt3SIdg+u5s4N5kht4JPcnyRtY
ERa6u3OBoJ9C62y+jeQct+lziaARoldGeRtXzA70PP7WJ9N0cEvlk3AkOHsxfhZS
YXKPR+v94VlzU+egp97boMXZnvjvB/pGJLLtbPQtFsWIOMMzZ9iNHv2GsxQdsTyV
0GO1PlI7vRleqiYig1pHCjCuqJ4LUxWSis1AX3GYNRnqNC4RvYh8JBx82pKAR/eI
jhFC/r0A0AGzmpjHgY2S+2nz+P/O93aKr+RFfW+T+LVwAt854a0KPzZyMNWx1NPV
ccRq5kcphGCNMphRm0jqK2P1/urzIEVhCN4QgsJjqiEN+JGP4c2URdlcUXHOI6td
cR7jZfNb4T/sPg64h9fzip/FRoZNV3kYE8jjUd/pmFv7iJvAwuPij0H/dZsix4Zr
vboj+aDdTzuWU6pXLq0Z9xjlhh2Um172HsTimBxO6l5oXrzpVKvxFgi3dp56F2ql
6mkKuEr9gDWAxCkKBXsy5UQPNny7vxWc2cVGucevOYfF51zd/7cf1UDobG6scH2r
wqRrUS7nR3w=nCFJ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce