RedHat: RHSA-2022-5483:01 Moderate: Migration Toolkit for Container...

Advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Migration Toolkit for Containers (MTC) 1.7.2 security and bug fix update
Advisory ID:       RHSA-2022:5483-01
Product:           Red Hat Migration Toolkit
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5483
Issue date:        2022-07-01
CVE Names:         CVE-2018-25032 CVE-2020-0404 CVE-2020-4788 
                   CVE-2020-13974 CVE-2020-19131 CVE-2020-27820 
                   CVE-2020-35492 CVE-2021-0941 CVE-2021-3612 
                   CVE-2021-3634 CVE-2021-3669 CVE-2021-3737 
                   CVE-2021-3743 CVE-2021-3744 CVE-2021-3752 
                   CVE-2021-3759 CVE-2021-3764 CVE-2021-3772 
                   CVE-2021-3773 CVE-2021-3807 CVE-2021-4002 
                   CVE-2021-4037 CVE-2021-4083 CVE-2021-4157 
                   CVE-2021-4189 CVE-2021-4197 CVE-2021-4203 
                   CVE-2021-20322 CVE-2021-21781 CVE-2021-26401 
                   CVE-2021-29154 CVE-2021-37159 CVE-2021-41617 
                   CVE-2021-41864 CVE-2021-42739 CVE-2021-43056 
                   CVE-2021-43389 CVE-2021-43976 CVE-2021-44733 
                   CVE-2021-45485 CVE-2021-45486 CVE-2022-0001 
                   CVE-2022-0002 CVE-2022-0235 CVE-2022-0286 
                   CVE-2022-0322 CVE-2022-0536 CVE-2022-1011 
                   CVE-2022-1154 CVE-2022-1271 CVE-2022-23852 
                   CVE-2022-26691 
=====================================================================

1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.2 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es) from Bugzilla:

* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching
ANSI escape codes (CVE-2021-3807)

* node-fetch: exposure of sensitive information to an unauthorized actor
(CVE-2022-0235)

* follow-redirects: Exposure of Sensitive Information via Authorization
Header leak (CVE-2022-0536)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
2038898 - [UI] ?Update Repository? option not getting disabled after adding the Replication Repository details to the MTC web console
2040693 - ?Replication repository? wizard has no validation for name length
2040695 - [MTC UI] ?Add Cluster? wizard stucks when the cluster name length is more than 63 characters
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2048537 - Exposed route host to image registry? connecting successfully to invalid registry ?xyz.com?
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
2055658 - [MTC UI] Cancel button on ?Migrations? page does not disappear when migration gets Failed/Succeeded with warnings
2056962 - [MTC UI] UI shows the wrong migration type info after changing the target namespace
2058172 - [MTC UI] Successful Rollback is not showing the green success icon in the ?Last State? field.
2058529 - [MTC UI] Migrations Plan is missing the type for the state migration performed before upgrade
2061335 - [MTC UI] ?Update cluster? button is not getting disabled
2062266 - MTC UI does not display logs properly [OADP-BL]
2062862 - [MTC UI] Clusters page behaving unexpectedly on deleting the remote cluster?s service account secret from backend
2074675 - HPAs of DeploymentConfigs are not being updated when migration from Openshift 3.x to Openshift 4.x
2076593 - Velero pod log missing from UI  drop down
2076599 - Velero pod log missing from downloaded logs folder [OADP-BL]
2078459 - [MTC UI] Storageclass conversion plan is adding migstorage reference in migplan
2079252 - [MTC]  Rsync options logs not visible in log-reader pod
2082221 - Don't allow Storage class conversion migration if source cluster has only one storage class defined [UI]
2082225 - non-numeric user when launching stage pods [OADP-BL]
2088022 - Default CPU requests on Velero/Restic are too demanding making scheduling fail in certain environments
2088026 - Cloud propagation phase in migration controller is not doing anything due to missing labels on Velero pods
2089126 - [MTC] Migration controller cannot find Velero Pod because of wrong labels
2089411 - [MTC] Log reader pod is missing velero and restic pod logs [OADP-BL]
2089859 - [Crane] DPA CR is missing the required flag - Migration is getting failed at the EnsureCloudSecretPropagated phase due to the missing secret VolumeMounts
2090317 - [MTC] mig-operator failed to create a DPA CR due to null values are passed instead of int [OADP-BL]
2096939 - Fix legacy operator.yml inconsistencies and errors
2100486 - [MTC UI] Target storage class field is not getting respected when clusters don't have replication repo configured.

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2020-0404
https://access.redhat.com/security/cve/CVE-2020-4788
https://access.redhat.com/security/cve/CVE-2020-13974
https://access.redhat.com/security/cve/CVE-2020-19131
https://access.redhat.com/security/cve/CVE-2020-27820
https://access.redhat.com/security/cve/CVE-2020-35492
https://access.redhat.com/security/cve/CVE-2021-0941
https://access.redhat.com/security/cve/CVE-2021-3612
https://access.redhat.com/security/cve/CVE-2021-3634
https://access.redhat.com/security/cve/CVE-2021-3669
https://access.redhat.com/security/cve/CVE-2021-3737
https://access.redhat.com/security/cve/CVE-2021-3743
https://access.redhat.com/security/cve/CVE-2021-3744
https://access.redhat.com/security/cve/CVE-2021-3752
https://access.redhat.com/security/cve/CVE-2021-3759
https://access.redhat.com/security/cve/CVE-2021-3764
https://access.redhat.com/security/cve/CVE-2021-3772
https://access.redhat.com/security/cve/CVE-2021-3773
https://access.redhat.com/security/cve/CVE-2021-3807
https://access.redhat.com/security/cve/CVE-2021-4002
https://access.redhat.com/security/cve/CVE-2021-4037
https://access.redhat.com/security/cve/CVE-2021-4083
https://access.redhat.com/security/cve/CVE-2021-4157
https://access.redhat.com/security/cve/CVE-2021-4189
https://access.redhat.com/security/cve/CVE-2021-4197
https://access.redhat.com/security/cve/CVE-2021-4203
https://access.redhat.com/security/cve/CVE-2021-20322
https://access.redhat.com/security/cve/CVE-2021-21781
https://access.redhat.com/security/cve/CVE-2021-26401
https://access.redhat.com/security/cve/CVE-2021-29154
https://access.redhat.com/security/cve/CVE-2021-37159
https://access.redhat.com/security/cve/CVE-2021-41617
https://access.redhat.com/security/cve/CVE-2021-41864
https://access.redhat.com/security/cve/CVE-2021-42739
https://access.redhat.com/security/cve/CVE-2021-43056
https://access.redhat.com/security/cve/CVE-2021-43389
https://access.redhat.com/security/cve/CVE-2021-43976
https://access.redhat.com/security/cve/CVE-2021-44733
https://access.redhat.com/security/cve/CVE-2021-45485
https://access.redhat.com/security/cve/CVE-2021-45486
https://access.redhat.com/security/cve/CVE-2022-0001
https://access.redhat.com/security/cve/CVE-2022-0002
https://access.redhat.com/security/cve/CVE-2022-0235
https://access.redhat.com/security/cve/CVE-2022-0286
https://access.redhat.com/security/cve/CVE-2022-0322
https://access.redhat.com/security/cve/CVE-2022-0536
https://access.redhat.com/security/cve/CVE-2022-1011
https://access.redhat.com/security/cve/CVE-2022-1154
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-23852
https://access.redhat.com/security/cve/CVE-2022-26691
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYr7qBNzjgjWX9erEAQgugw//ZP+OR2wysl+DmxNE9P5ri+kd/NBxdBKg
C6vlBpczeXUvPLEFp03wuoBoagTRfib6xjrKdc8+joCQv6UFYcO1kjqZqgcZgBeu
xJ6y7IzygYwK+nIoN3MP9YTYrejkwe7iaQnC3vLt3SIdg+u5s4N5kht4JPcnyRtY
ERa6u3OBoJ9C62y+jeQct+lziaARoldGeRtXzA70PP7WJ9N0cEvlk3AkOHsxfhZS
YXKPR+v94VlzU+egp97boMXZnvjvB/pGJLLtbPQtFsWIOMMzZ9iNHv2GsxQdsTyV
0GO1PlI7vRleqiYig1pHCjCuqJ4LUxWSis1AX3GYNRnqNC4RvYh8JBx82pKAR/eI
jhFC/r0A0AGzmpjHgY2S+2nz+P/O93aKr+RFfW+T+LVwAt854a0KPzZyMNWx1NPV
ccRq5kcphGCNMphRm0jqK2P1/urzIEVhCN4QgsJjqiEN+JGP4c2URdlcUXHOI6td
cR7jZfNb4T/sPg64h9fzip/FRoZNV3kYE8jjUd/pmFv7iJvAwuPij0H/dZsix4Zr
vboj+aDdTzuWU6pXLq0Z9xjlhh2Um172HsTimBxO6l5oXrzpVKvxFgi3dp56F2ql
6mkKuEr9gDWAxCkKBXsy5UQPNny7vxWc2cVGucevOYfF51zd/7cf1UDobG6scH2r
wqRrUS7nR3w=
=nCFJ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-5483:01 Moderate: Migration Toolkit for Containers (MTC)

The Migration Toolkit for Containers (MTC) 1.7.2 is now available

Summary

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.
Security Fix(es) from Bugzilla:
* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
* node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)
* follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to install and use MTC, refer to:https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

References

https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2020-0404 https://access.redhat.com/security/cve/CVE-2020-4788 https://access.redhat.com/security/cve/CVE-2020-13974 https://access.redhat.com/security/cve/CVE-2020-19131 https://access.redhat.com/security/cve/CVE-2020-27820 https://access.redhat.com/security/cve/CVE-2020-35492 https://access.redhat.com/security/cve/CVE-2021-0941 https://access.redhat.com/security/cve/CVE-2021-3612 https://access.redhat.com/security/cve/CVE-2021-3634 https://access.redhat.com/security/cve/CVE-2021-3669 https://access.redhat.com/security/cve/CVE-2021-3737 https://access.redhat.com/security/cve/CVE-2021-3743 https://access.redhat.com/security/cve/CVE-2021-3744 https://access.redhat.com/security/cve/CVE-2021-3752 https://access.redhat.com/security/cve/CVE-2021-3759 https://access.redhat.com/security/cve/CVE-2021-3764 https://access.redhat.com/security/cve/CVE-2021-3772 https://access.redhat.com/security/cve/CVE-2021-3773 https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-4002 https://access.redhat.com/security/cve/CVE-2021-4037 https://access.redhat.com/security/cve/CVE-2021-4083 https://access.redhat.com/security/cve/CVE-2021-4157 https://access.redhat.com/security/cve/CVE-2021-4189 https://access.redhat.com/security/cve/CVE-2021-4197 https://access.redhat.com/security/cve/CVE-2021-4203 https://access.redhat.com/security/cve/CVE-2021-20322 https://access.redhat.com/security/cve/CVE-2021-21781 https://access.redhat.com/security/cve/CVE-2021-26401 https://access.redhat.com/security/cve/CVE-2021-29154 https://access.redhat.com/security/cve/CVE-2021-37159 https://access.redhat.com/security/cve/CVE-2021-41617 https://access.redhat.com/security/cve/CVE-2021-41864 https://access.redhat.com/security/cve/CVE-2021-42739 https://access.redhat.com/security/cve/CVE-2021-43056 https://access.redhat.com/security/cve/CVE-2021-43389 https://access.redhat.com/security/cve/CVE-2021-43976 https://access.redhat.com/security/cve/CVE-2021-44733 https://access.redhat.com/security/cve/CVE-2021-45485 https://access.redhat.com/security/cve/CVE-2021-45486 https://access.redhat.com/security/cve/CVE-2022-0001 https://access.redhat.com/security/cve/CVE-2022-0002 https://access.redhat.com/security/cve/CVE-2022-0235 https://access.redhat.com/security/cve/CVE-2022-0286 https://access.redhat.com/security/cve/CVE-2022-0322 https://access.redhat.com/security/cve/CVE-2022-0536 https://access.redhat.com/security/cve/CVE-2022-1011 https://access.redhat.com/security/cve/CVE-2022-1154 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-23852 https://access.redhat.com/security/cve/CVE-2022-26691 https://access.redhat.com/security/updates/classification/#moderate

Package List

Severity
Advisory ID: RHSA-2022:5483-01
Product: Red Hat Migration Toolkit
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5483
Issued Date: : 2022-07-01
CVE Names: CVE-2018-25032 CVE-2020-0404 CVE-2020-4788 CVE-2020-13974 CVE-2020-19131 CVE-2020-27820 CVE-2020-35492 CVE-2021-0941 CVE-2021-3612 CVE-2021-3634 CVE-2021-3669 CVE-2021-3737 CVE-2021-3743 CVE-2021-3744 CVE-2021-3752 CVE-2021-3759 CVE-2021-3764 CVE-2021-3772 CVE-2021-3773 CVE-2021-3807 CVE-2021-4002 CVE-2021-4037 CVE-2021-4083 CVE-2021-4157 CVE-2021-4189 CVE-2021-4197 CVE-2021-4203 CVE-2021-20322 CVE-2021-21781 CVE-2021-26401 CVE-2021-29154 CVE-2021-37159 CVE-2021-41617 CVE-2021-41864 CVE-2021-42739 CVE-2021-43056 CVE-2021-43389 CVE-2021-43976 CVE-2021-44733 CVE-2021-45485 CVE-2021-45486 CVE-2022-0001 CVE-2022-0002 CVE-2022-0235 CVE-2022-0286 CVE-2022-0322 CVE-2022-0536 CVE-2022-1011 CVE-2022-1154 CVE-2022-1271 CVE-2022-23852 CVE-2022-26691

Topic

The Migration Toolkit for Containers (MTC) 1.7.2 is now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes

2038898 - [UI] ?Update Repository? option not getting disabled after adding the Replication Repository details to the MTC web console

2040693 - ?Replication repository? wizard has no validation for name length

2040695 - [MTC UI] ?Add Cluster? wizard stucks when the cluster name length is more than 63 characters

2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor

2048537 - Exposed route host to image registry? connecting successfully to invalid registry ?xyz.com?

2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak

2055658 - [MTC UI] Cancel button on ?Migrations? page does not disappear when migration gets Failed/Succeeded with warnings

2056962 - [MTC UI] UI shows the wrong migration type info after changing the target namespace

2058172 - [MTC UI] Successful Rollback is not showing the green success icon in the ?Last State? field.

2058529 - [MTC UI] Migrations Plan is missing the type for the state migration performed before upgrade

2061335 - [MTC UI] ?Update cluster? button is not getting disabled

2062266 - MTC UI does not display logs properly [OADP-BL]

2062862 - [MTC UI] Clusters page behaving unexpectedly on deleting the remote cluster?s service account secret from backend

2074675 - HPAs of DeploymentConfigs are not being updated when migration from Openshift 3.x to Openshift 4.x

2076593 - Velero pod log missing from UI drop down

2076599 - Velero pod log missing from downloaded logs folder [OADP-BL]

2078459 - [MTC UI] Storageclass conversion plan is adding migstorage reference in migplan

2079252 - [MTC] Rsync options logs not visible in log-reader pod

2082221 - Don't allow Storage class conversion migration if source cluster has only one storage class defined [UI]

2082225 - non-numeric user when launching stage pods [OADP-BL]

2088022 - Default CPU requests on Velero/Restic are too demanding making scheduling fail in certain environments

2088026 - Cloud propagation phase in migration controller is not doing anything due to missing labels on Velero pods

2089126 - [MTC] Migration controller cannot find Velero Pod because of wrong labels

2089411 - [MTC] Log reader pod is missing velero and restic pod logs [OADP-BL]

2089859 - [Crane] DPA CR is missing the required flag - Migration is getting failed at the EnsureCloudSecretPropagated phase due to the missing secret VolumeMounts

2090317 - [MTC] mig-operator failed to create a DPA CR due to null values are passed instead of int [OADP-BL]

2096939 - Fix legacy operator.yml inconsistencies and errors

2100486 - [MTC UI] Target storage class field is not getting respected when clusters don't have replication repo configured.

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.