RedHat: RHSA-2022-6429:01 Important: Migration Toolkit for Containe...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Migration Toolkit for Containers (MTC) 1.7.4 security and bug fix update
Advisory ID:       RHSA-2022:6429-01
Product:           Red Hat Migration Toolkit
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6429
Issue date:        2022-09-13
CVE Names:         CVE-2018-25032 CVE-2019-5827 CVE-2019-13750 
                   CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 
                   CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 
                   CVE-2020-8559 CVE-2020-13435 CVE-2020-14155 
                   CVE-2020-15586 CVE-2020-16845 CVE-2020-24370 
                   CVE-2020-28493 CVE-2020-28500 CVE-2021-3580 
                   CVE-2021-3634 CVE-2021-3737 CVE-2021-4189 
                   CVE-2021-20095 CVE-2021-20231 CVE-2021-20232 
                   CVE-2021-23177 CVE-2021-23337 CVE-2021-25219 
                   CVE-2021-31566 CVE-2021-36084 CVE-2021-36085 
                   CVE-2021-36086 CVE-2021-36087 CVE-2021-40528 
                   CVE-2021-42771 CVE-2022-0512 CVE-2022-0639 
                   CVE-2022-0686 CVE-2022-0691 CVE-2022-1271 
                   CVE-2022-1292 CVE-2022-1586 CVE-2022-1650 
                   CVE-2022-1785 CVE-2022-1897 CVE-2022-1927 
                   CVE-2022-2068 CVE-2022-2097 CVE-2022-2526 
                   CVE-2022-24407 CVE-2022-25313 CVE-2022-25314 
                   CVE-2022-29154 CVE-2022-29824 CVE-2022-30629 
                   CVE-2022-30631 CVE-2022-32206 CVE-2022-32208 
=====================================================================

1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.4 is now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es):

* nodejs-url-parse: authorization bypass through user-controlled key
(CVE-2022-0512)

* npm-url-parse: Authorization bypass through user-controlled key
(CVE-2022-0686)

* npm-url-parse: authorization bypass through user-controlled key
(CVE-2022-0691)

* eventsource: Exposure of Sensitive Information (CVE-2022-1650)

* nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
(CVE-2020-28500)

* nodejs-lodash: command injection via template (CVE-2021-23337)

* npm-url-parse: Authorization Bypass Through User-Controlled Key
(CVE-2022-0639)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1928937 - CVE-2021-23337 nodejs-lodash: command injection via template
1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
2054663 - CVE-2022-0512 nodejs-url-parse: authorization bypass through user-controlled key
2057442 - CVE-2022-0639 npm-url-parse: Authorization Bypass Through User-Controlled Key
2060018 - CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key
2060020 - CVE-2022-0691 npm-url-parse: authorization bypass through user-controlled key
2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2019-5827
https://access.redhat.com/security/cve/CVE-2019-13750
https://access.redhat.com/security/cve/CVE-2019-13751
https://access.redhat.com/security/cve/CVE-2019-17594
https://access.redhat.com/security/cve/CVE-2019-17595
https://access.redhat.com/security/cve/CVE-2019-18218
https://access.redhat.com/security/cve/CVE-2019-19603
https://access.redhat.com/security/cve/CVE-2019-20838
https://access.redhat.com/security/cve/CVE-2020-8559
https://access.redhat.com/security/cve/CVE-2020-13435
https://access.redhat.com/security/cve/CVE-2020-14155
https://access.redhat.com/security/cve/CVE-2020-15586
https://access.redhat.com/security/cve/CVE-2020-16845
https://access.redhat.com/security/cve/CVE-2020-24370
https://access.redhat.com/security/cve/CVE-2020-28493
https://access.redhat.com/security/cve/CVE-2020-28500
https://access.redhat.com/security/cve/CVE-2021-3580
https://access.redhat.com/security/cve/CVE-2021-3634
https://access.redhat.com/security/cve/CVE-2021-3737
https://access.redhat.com/security/cve/CVE-2021-4189
https://access.redhat.com/security/cve/CVE-2021-20095
https://access.redhat.com/security/cve/CVE-2021-20231
https://access.redhat.com/security/cve/CVE-2021-20232
https://access.redhat.com/security/cve/CVE-2021-23177
https://access.redhat.com/security/cve/CVE-2021-23337
https://access.redhat.com/security/cve/CVE-2021-25219
https://access.redhat.com/security/cve/CVE-2021-31566
https://access.redhat.com/security/cve/CVE-2021-36084
https://access.redhat.com/security/cve/CVE-2021-36085
https://access.redhat.com/security/cve/CVE-2021-36086
https://access.redhat.com/security/cve/CVE-2021-36087
https://access.redhat.com/security/cve/CVE-2021-40528
https://access.redhat.com/security/cve/CVE-2021-42771
https://access.redhat.com/security/cve/CVE-2022-0512
https://access.redhat.com/security/cve/CVE-2022-0639
https://access.redhat.com/security/cve/CVE-2022-0686
https://access.redhat.com/security/cve/CVE-2022-0691
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1650
https://access.redhat.com/security/cve/CVE-2022-1785
https://access.redhat.com/security/cve/CVE-2022-1897
https://access.redhat.com/security/cve/CVE-2022-1927
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-2526
https://access.redhat.com/security/cve/CVE-2022-24407
https://access.redhat.com/security/cve/CVE-2022-25313
https://access.redhat.com/security/cve/CVE-2022-25314
https://access.redhat.com/security/cve/CVE-2022-29154
https://access.redhat.com/security/cve/CVE-2022-29824
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-32206
https://access.redhat.com/security/cve/CVE-2022-32208
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYyAtcdzjgjWX9erEAQgJhg/5AV9WJmzuYMrSepeTb/4U1ByaKOyTBDFD
6tP0664gSve8r4jyUSPH7jLh3ucnr5oixoGRaYIv1velZBjwShKkNx0xYZJLJFr7
ePL+JiiE6MeqkWWD6X+wC4dgfaplvKxqt+bEVPm9F3wUB96rIFwyrJ4IscW1rbFP
MePUesukKWoxAqQhNOUT2AvaOxHKzSlvmHG2vKt99olmosxYMWwUwZuN89kIYv75
GkkOUjL11GtuOnbeppwgPkzC2Z5cdgQRb7J15msVyFiC/wjaJHzkBFvUt+JUdJI1
OQ3VYHd5+m2c3Y7nC46WAhATCoubAIFYhV5K+om6GnegYRXL6KrIu+S75gq0hWq9
UKZHSLYO17NlXp5ycUZyJ8AxuZK2WkgXpSZRyDa3/+yYXNtU1UoIIt7wiN0Jc3pL
81PHYvevKZTbaZEjqAPskhHkCR59vZlcqNGs2LNmlmxI87ACpMRG3faA5q+HXuPF
nhiu74ydCdqngtv6QBOChFO70m6EY0kaUwU7si85vmSDMYIJxn+/iJl/g9zejHVl
Rofhxo/IihgJwJR3QhA2H/b6Uku69J5Q9kE4b/cEG1oSJPdFTXxh/BL+HG+YZVGk
1aFKIIeM0Hrl0PmlIqMJQiJrfGk0j90pBaYX+2fH3fk6I/BCg/Fwq502WjePJZA+
okz03xUX5M4=
=mxFS
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-6429:01 Important: Migration Toolkit for Containers (MTC)

The Migration Toolkit for Containers (MTC) 1.7.4 is now available

Summary

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.
Security Fix(es):
* nodejs-url-parse: authorization bypass through user-controlled key (CVE-2022-0512)
* npm-url-parse: Authorization bypass through user-controlled key (CVE-2022-0686)
* npm-url-parse: authorization bypass through user-controlled key (CVE-2022-0691)
* eventsource: Exposure of Sensitive Information (CVE-2022-1650)
* nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions (CVE-2020-28500)
* nodejs-lodash: command injection via template (CVE-2021-23337)
* npm-url-parse: Authorization Bypass Through User-Controlled Key (CVE-2022-0639)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to install and use MTC, refer to:https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

References

https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2019-5827 https://access.redhat.com/security/cve/CVE-2019-13750 https://access.redhat.com/security/cve/CVE-2019-13751 https://access.redhat.com/security/cve/CVE-2019-17594 https://access.redhat.com/security/cve/CVE-2019-17595 https://access.redhat.com/security/cve/CVE-2019-18218 https://access.redhat.com/security/cve/CVE-2019-19603 https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-8559 https://access.redhat.com/security/cve/CVE-2020-13435 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/cve/CVE-2020-15586 https://access.redhat.com/security/cve/CVE-2020-16845 https://access.redhat.com/security/cve/CVE-2020-24370 https://access.redhat.com/security/cve/CVE-2020-28493 https://access.redhat.com/security/cve/CVE-2020-28500 https://access.redhat.com/security/cve/CVE-2021-3580 https://access.redhat.com/security/cve/CVE-2021-3634 https://access.redhat.com/security/cve/CVE-2021-3737 https://access.redhat.com/security/cve/CVE-2021-4189 https://access.redhat.com/security/cve/CVE-2021-20095 https://access.redhat.com/security/cve/CVE-2021-20231 https://access.redhat.com/security/cve/CVE-2021-20232 https://access.redhat.com/security/cve/CVE-2021-23177 https://access.redhat.com/security/cve/CVE-2021-23337 https://access.redhat.com/security/cve/CVE-2021-25219 https://access.redhat.com/security/cve/CVE-2021-31566 https://access.redhat.com/security/cve/CVE-2021-36084 https://access.redhat.com/security/cve/CVE-2021-36085 https://access.redhat.com/security/cve/CVE-2021-36086 https://access.redhat.com/security/cve/CVE-2021-36087 https://access.redhat.com/security/cve/CVE-2021-40528 https://access.redhat.com/security/cve/CVE-2021-42771 https://access.redhat.com/security/cve/CVE-2022-0512 https://access.redhat.com/security/cve/CVE-2022-0639 https://access.redhat.com/security/cve/CVE-2022-0686 https://access.redhat.com/security/cve/CVE-2022-0691 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1650 https://access.redhat.com/security/cve/CVE-2022-1785 https://access.redhat.com/security/cve/CVE-2022-1897 https://access.redhat.com/security/cve/CVE-2022-1927 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-2526 https://access.redhat.com/security/cve/CVE-2022-24407 https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/cve/CVE-2022-29154 https://access.redhat.com/security/cve/CVE-2022-29824 https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-32206 https://access.redhat.com/security/cve/CVE-2022-32208 https://access.redhat.com/security/updates/classification/#important

Package List

Severity
Advisory ID: RHSA-2022:6429-01
Product: Red Hat Migration Toolkit
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6429
Issued Date: : 2022-09-13
CVE Names: CVE-2018-25032 CVE-2019-5827 CVE-2019-13750 CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 CVE-2020-8559 CVE-2020-13435 CVE-2020-14155 CVE-2020-15586 CVE-2020-16845 CVE-2020-24370 CVE-2020-28493 CVE-2020-28500 CVE-2021-3580 CVE-2021-3634 CVE-2021-3737 CVE-2021-4189 CVE-2021-20095 CVE-2021-20231 CVE-2021-20232 CVE-2021-23177 CVE-2021-23337 CVE-2021-25219 CVE-2021-31566 CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 CVE-2021-40528 CVE-2021-42771 CVE-2022-0512 CVE-2022-0639 CVE-2022-0686 CVE-2022-0691 CVE-2022-1271 CVE-2022-1292 CVE-2022-1586 CVE-2022-1650 CVE-2022-1785 CVE-2022-1897 CVE-2022-1927 CVE-2022-2068 CVE-2022-2097 CVE-2022-2526 CVE-2022-24407 CVE-2022-25313 CVE-2022-25314 CVE-2022-29154 CVE-2022-29824 CVE-2022-30629 CVE-2022-30631 CVE-2022-32206 CVE-2022-32208

Topic

The Migration Toolkit for Containers (MTC) 1.7.4 is now available.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

1928937 - CVE-2021-23337 nodejs-lodash: command injection via template

1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions

2054663 - CVE-2022-0512 nodejs-url-parse: authorization bypass through user-controlled key

2057442 - CVE-2022-0639 npm-url-parse: Authorization Bypass Through User-Controlled Key

2060018 - CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key

2060020 - CVE-2022-0691 npm-url-parse: authorization bypass through user-controlled key

2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.