-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Migration Toolkit for Applications security and bug fix update Advisory ID: RHSA-2023:2041-01 Product: MTA Advisory URL: https://access.redhat.com/errata/RHSA-2023:2041 Issue date: 2023-04-27 CVE Names: CVE-2021-4235 CVE-2022-1705 CVE-2022-2879 CVE-2022-2880 CVE-2022-2995 CVE-2022-3162 CVE-2022-3172 CVE-2022-3259 CVE-2022-3466 CVE-2022-3782 CVE-2022-4304 CVE-2022-4450 CVE-2022-27664 CVE-2022-30631 CVE-2022-31690 CVE-2022-32148 CVE-2022-32189 CVE-2022-32190 CVE-2022-41715 CVE-2022-41966 CVE-2022-46364 CVE-2023-0215 CVE-2023-0286 CVE-2023-0361 CVE-2023-0767 CVE-2023-23916 ===================================================================== 1. Summary: Migration Toolkit for Applications 6.1.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Migration Toolkit for Applications 6.1.0 Images Security Fix(es): * keycloak: path traversal via double URL encoding (CVE-2022-3782) * spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client (CVE-2022-31690) * xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966) * Apache CXF: SSRF Vulnerability (CVE-2022-46364) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding 2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability 2162200 - CVE-2022-31690 spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client 2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow 5. JIRA issues fixed (https://issues.jboss.org/): MTA-118 - Automated tagging of resources with Windup MTA-123 - MTA crashes cluster nodes when running bulk binary analysis due to requests and limits not being configurable MTA-129 - User field in Manage Import is empty MTA-160 - [Upstream] Maven Repositories "No QueryClient set, use QueryClientProvider to set one" MTA-204 - Every http request made to tagtypes returns HTTP Status 404 MTA-256 - Update application import template MTA-260 - [Regression] Application import through OOTB import template fails MTA-261 - [Regression] UI incorrectly reports target applications have in-progress/complete assessment MTA-263 - [Regression] Discard assessment option present even when assessment is not complete MTA-267 - Analysis EAP targets should include eap8 MTA-268 - RFE: Automated Tagging details to add on Review analysis details page MTA-279 - All types of Source analysis is failing in MTA 6.1.0 MTA-28 - Success Alert is not displayed when subsequent analysis are submitted MTA-282 - Discarding review results in 404 error MTA-283 - Sorting broken on Application inventory page MTA-284 - HTML reports download with no files in reports and stats folders MTA-29 - Asterisk on Description while creating a credentials should be removed MTA-297 - [Custom migration targets] Cannot upload JPG file as an icon MTA-298 - [Custom migration targets] Unclear error when uploading image greater than 1Mb of size MTA-299 - [RFE][Custom migration targets] Assign an icon: Add image max size in the note under the image name MTA-300 - [Custom rules] Cannot upload more than one rules file MTA-303 - [UI][Custom migration targets] The word "Please" should be removed from the error message about existing custom target name MTA-304 - [Custom rules] Failed analysis when retrieving custom rules files from a repository MTA-306 - MTA allows the uploading of multiple binaries for analysis MTA-311 - MTA operator fails to reconcile on a clean (non-upgrade) install MTA-314 - PVCs may not provision if storageClassName is not set. MTA-330 - With auth disabled, 'username' seen in the persona dropdown MTA-332 - Tagging: Few Tags are highlighted with color MTA-34 - Cannot filter by Business Service when copying assessments MTA-345 - [Custom migration targets] Error message "imageID must be defined" is displayed when uploading image MTA-35 - Only the first notification is displayed when discarding multiple copied assessments MTA-350 - Maven Central links from the dependencies tab in reports seem to be broken MTA-351 - AspectJ is not identified as an Open Source Library MTA-356 - The inventory view has to be refreshed for the tags that were assigned by an analysis to appear MTA-363 - [UI][Custom migration targets] "Repository type" field name is missing MTA-364 - [Custom migration targets] Unknown image file when editing a custom migration target MTA-366 - Tagging: For no tags attached "filter by" can be improved MTA-367 - [Custom migration targets] Cannot use a custom migration target in analysis MTA-369 - Custom migration targets: HTML elements are duplicated MTA-375 - Run button does not execute the analysis MTA-377 - [UI][Custom rules] Custom rules screen of the analysis configuration wizard is always marked as required MTA-378 - [UI][Custom rules] Info message on the Custom rules screen is not updated MTA-38 - Only the first notification is displayed when multiple files are imported. MTA-381 - Custom Rules: When try to update Add rules the Error alert is displayed MTA-382 - Custom Rules: Sometimes able to upload duplicate rules files MTA-388 - CSV reports download empty when enabling the option after an analysis MTA-389 - [Custom rules in Analysis] Failed analysis when retrieving custom rules files from a private repository MTA-391 - [Custom rules in Analysis] Targets from uploaded rules file are not removed once the file is removed MTA-392 - Unable to see all custom migration targets when using a vertical monitor MTA-41 - [UI] Failed to refresh token if Keycloak feature "Use Refresh Tokens" is off MTA-412 - Display alert message before reviewing an already reviewed application MTA-428 - [Custom Rules] MTA analysis custom rules conflict message MTA-430 - Analysis wizard: Next button should be enabled only after at least one target is selected MTA-438 - Tagging: Retrieving tags needs a loading indicator MTA-439 - [Regression][Custom rules] Failed to run analysis with custom rules from a repository MTA-443 - Custom rules: Add button can be disabled until duplicate rule file is removed MTA-50 - RFE: Replace the MTA acronym in the title with "Migration Toolkit for Applications" MTA-51 - RFE: " Select the list of packages to be analyzed manually" to modify the title MTA-52 - [RFE] We can change "Not associated artifact" to "No associated artifact" MTA-55 - Can't choose a custom rule via a file explorer(mac OS finder) in Tackle 2.0 MTA-78 - CVE-2022-46364 org.keycloak-keycloak-parent: Apache CXF: SSRF Vulnerability [mta-6.0] MTA-99 - Unable to use root path during checking for maven dependencies 6. References: https://access.redhat.com/security/cve/CVE-2021-4235 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-2879 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-2995 https://access.redhat.com/security/cve/CVE-2022-3162 https://access.redhat.com/security/cve/CVE-2022-3172 https://access.redhat.com/security/cve/CVE-2022-3259 https://access.redhat.com/security/cve/CVE-2022-3466 https://access.redhat.com/security/cve/CVE-2022-3782 https://access.redhat.com/security/cve/CVE-2022-4304 https://access.redhat.com/security/cve/CVE-2022-4450 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-31690 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/cve/CVE-2022-32189 https://access.redhat.com/security/cve/CVE-2022-32190 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2022-41966 https://access.redhat.com/security/cve/CVE-2022-46364 https://access.redhat.com/security/cve/CVE-2023-0215 https://access.redhat.com/security/cve/CVE-2023-0286 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-0767 https://access.redhat.com/security/cve/CVE-2023-23916 https://access.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZEoN2tzjgjWX9erEAQjXnBAAkmnEp2E4V5MqKE1ceN2bdJtHXjPUVaUI bmdKlIdZ2gs+C5SvhiOPIoAXgFIME2EoyzKTcNavcqxw1SElOZ8lT9Be4JMBqvBy sFR2vYd7mVlCbfKMpYGk9AO6sVs+ZxCDQVWZz69+5y+fZrCn/dUa9BmKC6rqOiCe MKLXIfc0rYvFJzaD7jKYF7PhPbZN3yYnI03xTeSHVnrTemf+YeDgituvoljGjqXX h9A5TPrEx+RF/bPL9Vyvcs256BK7Ys/vtGwaGLiIHlOF7KvRqiMwWoFGyDppFNU+ K+iAgQZMWyAzdPz729Q+Tp2yjojUrgzhliDpcHihjUMjqo46QJF+T7jSeBcwkSAi zqhBllaAoZj4KTFXA+QzGyOMrx+74HZmjPALkQxbHL5jvDhOUX1S0+kG5cLldXW0 PA3X61KWtkUqD0FGAHBgo1ka2bGsYERPxR0mOKr9C+/05tJ/zkkW+UFYYI23uQD2 aEMJ/eiq47GOOPpyCOToLNclpG09TuhbBL3JfMWLznZIhFI77GXFGlzsTZzvamNq GM/fvG8uJO1cSL7EtO1i5yODU5D3svF1fDcBdXSDLFiQAolwhttbqbLvdtQRpIby 53OPBb5XzisPvmKcvK9aDEuggRmjYDWlZO0P3U1RArxT7S83orLIWhl4TXL34Tp+ xa5WuwmXIXM= =S/aL -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce