RedHat: RHSA-2022-5840:01 Moderate: Migration Toolkit for Containers (MTC)
Summary
The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.
Security Fix(es):
* cross-fetch: Exposure of Private Personal Information to an Unauthorized
Actor (CVE-2022-1365)
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
* golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)
* golang: syscall: faccessat checks wrong group (CVE-2022-29526)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* Velero and Restic are using incorrect SCCs [OADP-BL] (BZ#2082216)
* [MTC] Migrations gets stuck at StageBackup stage for indirect runs
[OADP-BL] (BZ#2091965)
* MTC: 1.7.1 on OCP 4.6: UI is stuck in "Discovering persistent volumes
attached to source projects" step (BZ#2099856)
* Correct DNS validation for destination namespace (BZ#2102231)
* Deselecting all pvcs from UI still results in an attempted PVC transfer
(BZ#2106073)
Summary
Solution
For details on how to install and use MTC, refer to:
https://docs.openshift.com/container-platform/4.14/migration_toolkit_for_containers/installing-mtc.html
References
https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2018-1000858 https://access.redhat.com/security/cve/CVE-2019-13050 https://access.redhat.com/security/cve/CVE-2019-17594 https://access.redhat.com/security/cve/CVE-2019-17595 https://access.redhat.com/security/cve/CVE-2019-18218 https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/cve/CVE-2020-28915 https://access.redhat.com/security/cve/CVE-2020-29361 https://access.redhat.com/security/cve/CVE-2020-29362 https://access.redhat.com/security/cve/CVE-2020-29363 https://access.redhat.com/security/cve/CVE-2021-36084 https://access.redhat.com/security/cve/CVE-2021-36085 https://access.redhat.com/security/cve/CVE-2021-36086 https://access.redhat.com/security/cve/CVE-2021-36087 https://access.redhat.com/security/cve/CVE-2021-40528 https://access.redhat.com/security/cve/CVE-2021-41617 https://access.redhat.com/security/cve/CVE-2022-0778 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1365 https://access.redhat.com/security/cve/CVE-2022-1621 https://access.redhat.com/security/cve/CVE-2022-1629 https://access.redhat.com/security/cve/CVE-2022-22576 https://access.redhat.com/security/cve/CVE-2022-24407 https://access.redhat.com/security/cve/CVE-2022-24675 https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/cve/CVE-2022-27666 https://access.redhat.com/security/cve/CVE-2022-27774 https://access.redhat.com/security/cve/CVE-2022-27776 https://access.redhat.com/security/cve/CVE-2022-27782 https://access.redhat.com/security/cve/CVE-2022-28327 https://access.redhat.com/security/cve/CVE-2022-29526 https://access.redhat.com/security/cve/CVE-2022-29824 https://access.redhat.com/security/updates/classification/#moderate
Package List
Topic
The Migration Toolkit for Containers (MTC) 1.7.3 is now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
2076133 - CVE-2022-1365 cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2082216 - Velero and Restic are using incorrect SCCs [OADP-BL]
2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group
2091965 - [MTC] Migrations gets stuck at StageBackup stage for indirect runs [OADP-BL]
2099856 - MTC: 1.7.1 on OCP 4.6: UI is stuck in "Discovering persistent volumes attached to source projects" step
2102231 - Correct DNS validation for destination namespace
2106073 - Deselecting all pvcs from UI still results in an attempted PVC transfer
5. JIRA issues fixed (https://issues.redhat.com/):
MIG-1155 - Update to newer ansible runner image for hooks
MIG-1242 - Must set upper bound on OADP dep to prevent jump to 1.1
MIG-1254 - Investigate impact of deprecated Docker V2 Schema 1 for MTC on OCP3.11