RedHat: RHSA-2022-5840:01 Moderate: Migration Toolkit for Container...

Advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Migration Toolkit for Containers (MTC) 1.7.3 security and bug fix update
Advisory ID:       RHSA-2022:5840-01
Product:           Red Hat Migration Toolkit
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5840
Issue date:        2022-08-02
CVE Names:         CVE-2018-25032 CVE-2018-1000858 CVE-2019-13050 
                   CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 
                   CVE-2019-20838 CVE-2020-14155 CVE-2020-28915 
                   CVE-2020-29361 CVE-2020-29362 CVE-2020-29363 
                   CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 
                   CVE-2021-36087 CVE-2021-40528 CVE-2021-41617 
                   CVE-2022-0778 CVE-2022-1271 CVE-2022-1365 
                   CVE-2022-1621 CVE-2022-1629 CVE-2022-22576 
                   CVE-2022-24407 CVE-2022-24675 CVE-2022-25313 
                   CVE-2022-25314 CVE-2022-27666 CVE-2022-27774 
                   CVE-2022-27776 CVE-2022-27782 CVE-2022-28327 
                   CVE-2022-29526 CVE-2022-29824 
=====================================================================

1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.3 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es):

* cross-fetch: Exposure of Private Personal Information to an Unauthorized
Actor (CVE-2022-1365)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)

* golang: syscall: faccessat checks wrong group (CVE-2022-29526)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Velero and Restic are using incorrect SCCs [OADP-BL] (BZ#2082216)

* [MTC] Migrations gets stuck at StageBackup stage for indirect runs
[OADP-BL] (BZ#2091965)

* MTC: 1.7.1 on OCP 4.6: UI is stuck in "Discovering persistent volumes
attached to source projects" step (BZ#2099856)

* Correct DNS validation for destination namespace (BZ#2102231)

* Deselecting all pvcs from UI still results in an attempted PVC transfer
(BZ#2106073)

3. Solution:

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2076133 - CVE-2022-1365 cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2082216 - Velero and Restic are using incorrect SCCs [OADP-BL]
2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group
2091965 - [MTC] Migrations gets stuck at StageBackup stage for indirect runs [OADP-BL]
2099856 - MTC: 1.7.1 on OCP 4.6: UI is stuck in "Discovering persistent volumes attached to source projects" step
2102231 - Correct DNS validation for destination namespace
2106073 - Deselecting all pvcs from UI still results in an attempted PVC transfer

5. JIRA issues fixed (https://issues.jboss.org/):

MIG-1155 - Update to newer ansible runner image for hooks
MIG-1242 - Must set upper bound on OADP dep to prevent jump to 1.1
MIG-1254 - Investigate impact of deprecated Docker V2 Schema 1 for MTC on OCP3.11

6. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2018-1000858
https://access.redhat.com/security/cve/CVE-2019-13050
https://access.redhat.com/security/cve/CVE-2019-17594
https://access.redhat.com/security/cve/CVE-2019-17595
https://access.redhat.com/security/cve/CVE-2019-18218
https://access.redhat.com/security/cve/CVE-2019-20838
https://access.redhat.com/security/cve/CVE-2020-14155
https://access.redhat.com/security/cve/CVE-2020-28915
https://access.redhat.com/security/cve/CVE-2020-29361
https://access.redhat.com/security/cve/CVE-2020-29362
https://access.redhat.com/security/cve/CVE-2020-29363
https://access.redhat.com/security/cve/CVE-2021-36084
https://access.redhat.com/security/cve/CVE-2021-36085
https://access.redhat.com/security/cve/CVE-2021-36086
https://access.redhat.com/security/cve/CVE-2021-36087
https://access.redhat.com/security/cve/CVE-2021-40528
https://access.redhat.com/security/cve/CVE-2021-41617
https://access.redhat.com/security/cve/CVE-2022-0778
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-1365
https://access.redhat.com/security/cve/CVE-2022-1621
https://access.redhat.com/security/cve/CVE-2022-1629
https://access.redhat.com/security/cve/CVE-2022-22576
https://access.redhat.com/security/cve/CVE-2022-24407
https://access.redhat.com/security/cve/CVE-2022-24675
https://access.redhat.com/security/cve/CVE-2022-25313
https://access.redhat.com/security/cve/CVE-2022-25314
https://access.redhat.com/security/cve/CVE-2022-27666
https://access.redhat.com/security/cve/CVE-2022-27774
https://access.redhat.com/security/cve/CVE-2022-27776
https://access.redhat.com/security/cve/CVE-2022-27782
https://access.redhat.com/security/cve/CVE-2022-28327
https://access.redhat.com/security/cve/CVE-2022-29526
https://access.redhat.com/security/cve/CVE-2022-29824
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYuqtatzjgjWX9erEAQj0Cw/+Px30wY+lU4kEvevERJjBt6yHGvQnfqOr
VPKv+1ikwiA/x95m8fHGNrT6iqahLIbmyRPnZUvUbsSH0TD/vsDYyI/RmPuxpqaE
d5UjsnkjK4/+9nVSKWiiqpmq3fnmICvIlOYadpj3f6SuNiWGLhKivKLPdxgb9MU/
eWl7XN7RiFenuSWo1znYlk+WgEXSE3ltfQ6AZ3G4/H2D440AQfbDDWel+361Ng9F
LSrmi3G1bfrw1Ur3mA44QEr2BUVmZgAXvFiIWNXn6xeyfEQegNDrgFaELcY26RHy
1KpcLme8jDn5hCZIuApkOnfeBC8M1xibqhDHWaQHHXflpIdJAYDD4ZrFpK/ka0NO
WGqgBpktNGgIa1rhiOS7WkFPN/TLkgfikl38kw3Y/s8OgkLMt8QUQPm1Q4GyYeX+
3HBS67gX0hP6QVIeEQx3mQBgxP97LH1dEiisNp6/YZd6XpGRrGZU+3cgiXa2G4tc
irw7dDpJDWHqkLi9iTKcjRQpsghJqFL7qcZDxQPZYTD5peePPz7TSGoLzy0Ew8RO
44bf2FoxGd0LmA0WdCczLOhYA2K1/Il13kMEjWiqN76WvRZ5b5JUpTiyuKHYhOLn
rgbr4bVfkkfJFJfw/Gftrhz0xnIyYAE8ql6HULJzGwvS3VtZKw+IsSL6VRh6axsA
NhP6/InC1K0=
=W1QN
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-5840:01 Moderate: Migration Toolkit for Containers (MTC)

The Migration Toolkit for Containers (MTC) 1.7.3 is now available

Summary

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.
Security Fix(es):
* cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-1365)
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
* golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
* golang: syscall: faccessat checks wrong group (CVE-2022-29526)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Velero and Restic are using incorrect SCCs [OADP-BL] (BZ#2082216)
* [MTC] Migrations gets stuck at StageBackup stage for indirect runs [OADP-BL] (BZ#2091965)
* MTC: 1.7.1 on OCP 4.6: UI is stuck in "Discovering persistent volumes attached to source projects" step (BZ#2099856)
* Correct DNS validation for destination namespace (BZ#2102231)
* Deselecting all pvcs from UI still results in an attempted PVC transfer (BZ#2106073)

Solution

For details on how to install and use MTC, refer to:https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

References

https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2018-1000858 https://access.redhat.com/security/cve/CVE-2019-13050 https://access.redhat.com/security/cve/CVE-2019-17594 https://access.redhat.com/security/cve/CVE-2019-17595 https://access.redhat.com/security/cve/CVE-2019-18218 https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/cve/CVE-2020-28915 https://access.redhat.com/security/cve/CVE-2020-29361 https://access.redhat.com/security/cve/CVE-2020-29362 https://access.redhat.com/security/cve/CVE-2020-29363 https://access.redhat.com/security/cve/CVE-2021-36084 https://access.redhat.com/security/cve/CVE-2021-36085 https://access.redhat.com/security/cve/CVE-2021-36086 https://access.redhat.com/security/cve/CVE-2021-36087 https://access.redhat.com/security/cve/CVE-2021-40528 https://access.redhat.com/security/cve/CVE-2021-41617 https://access.redhat.com/security/cve/CVE-2022-0778 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1365 https://access.redhat.com/security/cve/CVE-2022-1621 https://access.redhat.com/security/cve/CVE-2022-1629 https://access.redhat.com/security/cve/CVE-2022-22576 https://access.redhat.com/security/cve/CVE-2022-24407 https://access.redhat.com/security/cve/CVE-2022-24675 https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/cve/CVE-2022-27666 https://access.redhat.com/security/cve/CVE-2022-27774 https://access.redhat.com/security/cve/CVE-2022-27776 https://access.redhat.com/security/cve/CVE-2022-27782 https://access.redhat.com/security/cve/CVE-2022-28327 https://access.redhat.com/security/cve/CVE-2022-29526 https://access.redhat.com/security/cve/CVE-2022-29824 https://access.redhat.com/security/updates/classification/#moderate

Package List

Severity
Advisory ID: RHSA-2022:5840-01
Product: Red Hat Migration Toolkit
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5840
Issued Date: : 2022-08-02
CVE Names: CVE-2018-25032 CVE-2018-1000858 CVE-2019-13050 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-20838 CVE-2020-14155 CVE-2020-28915 CVE-2020-29361 CVE-2020-29362 CVE-2020-29363 CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 CVE-2021-40528 CVE-2021-41617 CVE-2022-0778 CVE-2022-1271 CVE-2022-1365 CVE-2022-1621 CVE-2022-1629 CVE-2022-22576 CVE-2022-24407 CVE-2022-24675 CVE-2022-25313 CVE-2022-25314 CVE-2022-27666 CVE-2022-27774 CVE-2022-27776 CVE-2022-27782 CVE-2022-28327 CVE-2022-29526 CVE-2022-29824

Topic

The Migration Toolkit for Containers (MTC) 1.7.3 is now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

2076133 - CVE-2022-1365 cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor

2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode

2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar

2082216 - Velero and Restic are using incorrect SCCs [OADP-BL]

2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group

2091965 - [MTC] Migrations gets stuck at StageBackup stage for indirect runs [OADP-BL]

2099856 - MTC: 1.7.1 on OCP 4.6: UI is stuck in "Discovering persistent volumes attached to source projects" step

2102231 - Correct DNS validation for destination namespace

2106073 - Deselecting all pvcs from UI still results in an attempted PVC transfer

5. JIRA issues fixed (https://issues.jboss.org/):

MIG-1155 - Update to newer ansible runner image for hooks

MIG-1242 - Must set upper bound on OADP dep to prevent jump to 1.1

MIG-1254 - Investigate impact of deprecated Docker V2 Schema 1 for MTC on OCP3.11

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.