-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Migration Toolkit for Applications security and bug fix update
Advisory ID:       RHSA-2023:0934-01
Product:           MTA
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0934
Issue date:        2023-02-28
CVE Names:         CVE-2020-36567 CVE-2021-35065 CVE-2021-46848 
                   CVE-2022-1304 CVE-2022-2056 CVE-2022-2057 
                   CVE-2022-2058 CVE-2022-2519 CVE-2022-2520 
                   CVE-2022-2521 CVE-2022-2601 CVE-2022-2867 
                   CVE-2022-2868 CVE-2022-2869 CVE-2022-2953 
                   CVE-2022-3775 CVE-2022-3787 CVE-2022-22624 
                   CVE-2022-22628 CVE-2022-22629 CVE-2022-22662 
                   CVE-2022-23521 CVE-2022-24999 CVE-2022-25308 
                   CVE-2022-25309 CVE-2022-25310 CVE-2022-26700 
                   CVE-2022-26709 CVE-2022-26710 CVE-2022-26716 
                   CVE-2022-26717 CVE-2022-26719 CVE-2022-27404 
                   CVE-2022-27405 CVE-2022-27406 CVE-2022-30293 
                   CVE-2022-35737 CVE-2022-37601 CVE-2022-37603 
                   CVE-2022-40303 CVE-2022-40304 CVE-2022-41717 
                   CVE-2022-41903 CVE-2022-42010 CVE-2022-42011 
                   CVE-2022-42012 CVE-2022-42898 CVE-2022-42920 
                   CVE-2022-43680 CVE-2022-46175 CVE-2022-47629 
                   CVE-2023-21830 CVE-2023-21835 CVE-2023-21843 
====================================================================
1. Summary:

Migration Toolkit for Applications 6.0.1 release

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Migration Toolkit for Applications 6.0.1 Images

Security Fix(es) from Bugzilla:

* loader-utils: prototype pollution in function parseQuery in parseQuery.js
(CVE-2022-37601)

* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds
writing (CVE-2022-42920)

* gin: Unsanitized input in the default logger in github.com/gin-gonic/gin
(CVE-2020-36567)

* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)

* express: "qs" prototype poisoning causes the hang of the node process
(CVE-2022-24999)

* loader-utils:Regular expression denial of service (CVE-2022-37603)

* golang: net/http: An attacker can cause excessive memory growth in a Go
server accepting HTTP/2 requests (CVE-2022-41717)

* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2134876 - CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js
2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service
2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process
2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method
2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service
2156683 - CVE-2020-36567 gin: Unsanitized input in the default logger in github.com/gin-gonic/gin
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.redhat.com/):

MTA-103 - MTA 6.0.1 Installation failed with CrashLoop Error for UI Pod
MTA-106 - Implement ability for windup addon image pull policy to be configurable
MTA-122 - MTA is upgrading automatically ignoring 'Manual' setting
MTA-123 - MTA Becomes unusable when running bulk binary analysis
MTA-127 - After upgrading MTA operator from 6.0.0 to 6.0.1 and running analysis , task pods starts failing 
MTA-131 - Analysis stops working after MTA upgrade from 6.0.0 to 6.0.1
MTA-36 - Can't disable a proxy if it has an invalid configuration
MTA-44 - Make RWX volumes optional.
MTA-49 - Uploaded a local binary when return back to the page the UI should show green bar and correct %
MTA-59 - Getting error 401 if deleting many credentials quickly
MTA-65 - Set windup addon image pull policy to be controlled by the global image_pull_policy parameter
MTA-72 - CVE-2022-46175 mta-ui-container: json5: Prototype Pollution in JSON5 via Parse Method [mta-6]
MTA-73 - CVE-2022-37601 mta-ui-container: loader-utils: prototype pollution in function parseQuery in parseQuery.js [mta-6]
MTA-74 - CVE-2020-36567 mta-windup-addon-container: gin: Unsanitized input in the default logger in github.com/gin-gonic/gin [mta-6]
MTA-76 - CVE-2022-37603 mta-ui-container: loader-utils:Regular expression denial of service [mta-6]
MTA-77 - CVE-2020-36567 mta-hub-container: gin: Unsanitized input in the default logger in github.com/gin-gonic/gin [mta-6]
MTA-80 - CVE-2021-35065 mta-ui-container: glob-parent: Regular Expression Denial of Service [mta-6]
MTA-82 - CVE-2022-42920 org.jboss.windup-windup-cli-parent: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing [mta-6.0]
MTA-85 - CVE-2022-24999 mta-ui-container: express: "qs" prototype poisoning causes the hang of the node process [mta-6]
MTA-88 - CVE-2020-36567 mta-admin-addon-container: gin: Unsanitized input in the default logger in github.com/gin-gonic/gin [mta-6]
MTA-92 - CVE-2022-42920 org.jboss.windup.plugin-windup-maven-plugin-parent: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing [mta-6.0]
MTA-96 - [UI] Maven -> "Local artifact repository" textbox can be checked and has no tooltip

6. References:

https://access.redhat.com/security/cve/CVE-2020-36567
https://access.redhat.com/security/cve/CVE-2021-35065
https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-2056
https://access.redhat.com/security/cve/CVE-2022-2057
https://access.redhat.com/security/cve/CVE-2022-2058
https://access.redhat.com/security/cve/CVE-2022-2519
https://access.redhat.com/security/cve/CVE-2022-2520
https://access.redhat.com/security/cve/CVE-2022-2521
https://access.redhat.com/security/cve/CVE-2022-2601
https://access.redhat.com/security/cve/CVE-2022-2867
https://access.redhat.com/security/cve/CVE-2022-2868
https://access.redhat.com/security/cve/CVE-2022-2869
https://access.redhat.com/security/cve/CVE-2022-2953
https://access.redhat.com/security/cve/CVE-2022-3775
https://access.redhat.com/security/cve/CVE-2022-3787
https://access.redhat.com/security/cve/CVE-2022-22624
https://access.redhat.com/security/cve/CVE-2022-22628
https://access.redhat.com/security/cve/CVE-2022-22629
https://access.redhat.com/security/cve/CVE-2022-22662
https://access.redhat.com/security/cve/CVE-2022-23521
https://access.redhat.com/security/cve/CVE-2022-24999
https://access.redhat.com/security/cve/CVE-2022-25308
https://access.redhat.com/security/cve/CVE-2022-25309
https://access.redhat.com/security/cve/CVE-2022-25310
https://access.redhat.com/security/cve/CVE-2022-26700
https://access.redhat.com/security/cve/CVE-2022-26709
https://access.redhat.com/security/cve/CVE-2022-26710
https://access.redhat.com/security/cve/CVE-2022-26716
https://access.redhat.com/security/cve/CVE-2022-26717
https://access.redhat.com/security/cve/CVE-2022-26719
https://access.redhat.com/security/cve/CVE-2022-27404
https://access.redhat.com/security/cve/CVE-2022-27405
https://access.redhat.com/security/cve/CVE-2022-27406
https://access.redhat.com/security/cve/CVE-2022-30293
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-37601
https://access.redhat.com/security/cve/CVE-2022-37603
https://access.redhat.com/security/cve/CVE-2022-40303
https://access.redhat.com/security/cve/CVE-2022-40304
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/cve/CVE-2022-41903
https://access.redhat.com/security/cve/CVE-2022-42010
https://access.redhat.com/security/cve/CVE-2022-42011
https://access.redhat.com/security/cve/CVE-2022-42012
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/cve/CVE-2022-42920
https://access.redhat.com/security/cve/CVE-2022-43680
https://access.redhat.com/security/cve/CVE-2022-46175
https://access.redhat.com/security/cve/CVE-2022-47629
https://access.redhat.com/security/cve/CVE-2023-21830
https://access.redhat.com/security/cve/CVE-2023-21835
https://access.redhat.com/security/cve/CVE-2023-21843
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY/2fI9zjgjWX9erEAQi95g/+J/GJuq0h20LeQj1ck1lJd4Rvdl20lMlt
dLok0pPGhbrIG3eaynH2p32UJDIlw3ciWFSdmrsLOtGg/BVY+4cLJuf+lH5g5ko9
LNglAsMGlB6ExdEQ+npuPY8i/0uLWFNdg3ti5Jy880qUTaSP0IL44Qe3nwlUXaFJ
JHwr9rW2uiN69/Pl30S21P+T6JiKStCkMK2psip0Der5Su0YXeSXC2XjEbs3wkwv
27eaOuUdZvArZd49BIqbW8XtK9XGs1YXolBHkGRhEfdXyEVT1KN8FJH5o3aAqCAL
rX4jjKepaUlGv/ka4Tw4WCVp4bh4VauCBYhGAz0GiXpoqKOrwGhHqpbRVhGluuOo
jD35otvCwhVaTqci7j1xb/ok4QIm7jzSCnM/39LoZCSyWE/u3uzri0QmaFy1743f
RpdTUs2u71Ad8IUHCuAFBtLKFyt8GSkj7Pv4vtXoh65DUL4GmD2ejrZ1D33DqqMA
6wNqPWadKNSSR+lHjQ2HzwjnDYW6i/nEtz9Aw3NYc3RaTGQkJQGYcvKFf5VZln9i
j5YnPZXP6G+xWX/W07N92Gv2uT0ixJlnclYsBs6KuonR+iN7fUW7nMK9g02A2Ab2
DTLNkiNAv4ScJD+6Oxq5cON0jvBrreO9X4XcU1seC0cm6en7GMC0/WAsv12tm+uz
bUPUtzqKuxI=oljW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-0934:01 Important: Migration Toolkit for Applications

Migration Toolkit for Applications 6.0.1 release Red Hat Product Security has rated this update as having a security impact of Important

Summary

Migration Toolkit for Applications 6.0.1 Images
Security Fix(es) from Bugzilla:
* loader-utils: prototype pollution in function parseQuery in parseQuery.js (CVE-2022-37601)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* gin: Unsanitized input in the default logger in github.com/gin-gonic/gin (CVE-2020-36567)
* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* express: "qs" prototype poisoning causes the hang of the node process (CVE-2022-24999)
* loader-utils:Regular expression denial of service (CVE-2022-37603)
* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2020-36567 https://access.redhat.com/security/cve/CVE-2021-35065 https://access.redhat.com/security/cve/CVE-2021-46848 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-2056 https://access.redhat.com/security/cve/CVE-2022-2057 https://access.redhat.com/security/cve/CVE-2022-2058 https://access.redhat.com/security/cve/CVE-2022-2519 https://access.redhat.com/security/cve/CVE-2022-2520 https://access.redhat.com/security/cve/CVE-2022-2521 https://access.redhat.com/security/cve/CVE-2022-2601 https://access.redhat.com/security/cve/CVE-2022-2867 https://access.redhat.com/security/cve/CVE-2022-2868 https://access.redhat.com/security/cve/CVE-2022-2869 https://access.redhat.com/security/cve/CVE-2022-2953 https://access.redhat.com/security/cve/CVE-2022-3775 https://access.redhat.com/security/cve/CVE-2022-3787 https://access.redhat.com/security/cve/CVE-2022-22624 https://access.redhat.com/security/cve/CVE-2022-22628 https://access.redhat.com/security/cve/CVE-2022-22629 https://access.redhat.com/security/cve/CVE-2022-22662 https://access.redhat.com/security/cve/CVE-2022-23521 https://access.redhat.com/security/cve/CVE-2022-24999 https://access.redhat.com/security/cve/CVE-2022-25308 https://access.redhat.com/security/cve/CVE-2022-25309 https://access.redhat.com/security/cve/CVE-2022-25310 https://access.redhat.com/security/cve/CVE-2022-26700 https://access.redhat.com/security/cve/CVE-2022-26709 https://access.redhat.com/security/cve/CVE-2022-26710 https://access.redhat.com/security/cve/CVE-2022-26716 https://access.redhat.com/security/cve/CVE-2022-26717 https://access.redhat.com/security/cve/CVE-2022-26719 https://access.redhat.com/security/cve/CVE-2022-27404 https://access.redhat.com/security/cve/CVE-2022-27405 https://access.redhat.com/security/cve/CVE-2022-27406 https://access.redhat.com/security/cve/CVE-2022-30293 https://access.redhat.com/security/cve/CVE-2022-35737 https://access.redhat.com/security/cve/CVE-2022-37601 https://access.redhat.com/security/cve/CVE-2022-37603 https://access.redhat.com/security/cve/CVE-2022-40303 https://access.redhat.com/security/cve/CVE-2022-40304 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-41903 https://access.redhat.com/security/cve/CVE-2022-42010 https://access.redhat.com/security/cve/CVE-2022-42011 https://access.redhat.com/security/cve/CVE-2022-42012 https://access.redhat.com/security/cve/CVE-2022-42898 https://access.redhat.com/security/cve/CVE-2022-42920 https://access.redhat.com/security/cve/CVE-2022-43680 https://access.redhat.com/security/cve/CVE-2022-46175 https://access.redhat.com/security/cve/CVE-2022-47629 https://access.redhat.com/security/cve/CVE-2023-21830 https://access.redhat.com/security/cve/CVE-2023-21835 https://access.redhat.com/security/cve/CVE-2023-21843 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
Advisory ID: RHSA-2023:0934-01
Product: MTA
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0934
Issued Date: : 2023-02-28
CVE Names: CVE-2020-36567 CVE-2021-35065 CVE-2021-46848 CVE-2022-1304 CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2601 CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 CVE-2022-2953 CVE-2022-3775 CVE-2022-3787 CVE-2022-22624 CVE-2022-22628 CVE-2022-22629 CVE-2022-22662 CVE-2022-23521 CVE-2022-24999 CVE-2022-25308 CVE-2022-25309 CVE-2022-25310 CVE-2022-26700 CVE-2022-26709 CVE-2022-26710 CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 CVE-2022-27404 CVE-2022-27405 CVE-2022-27406 CVE-2022-30293 CVE-2022-35737 CVE-2022-37601 CVE-2022-37603 CVE-2022-40303 CVE-2022-40304 CVE-2022-41717 CVE-2022-41903 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 CVE-2022-42898 CVE-2022-42920 CVE-2022-43680 CVE-2022-46175 CVE-2022-47629 CVE-2023-21830 CVE-2023-21835 CVE-2023-21843

Topic

Migration Toolkit for Applications 6.0.1 releaseRed Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2134876 - CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js

2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service

2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing

2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process

2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method

2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service

2156683 - CVE-2020-36567 gin: Unsanitized input in the default logger in github.com/gin-gonic/gin

2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.redhat.com/):

MTA-103 - MTA 6.0.1 Installation failed with CrashLoop Error for UI Pod

MTA-106 - Implement ability for windup addon image pull policy to be configurable

MTA-122 - MTA is upgrading automatically ignoring 'Manual' setting

MTA-123 - MTA Becomes unusable when running bulk binary analysis

MTA-127 - After upgrading MTA operator from 6.0.0 to 6.0.1 and running analysis , task pods starts failing

MTA-131 - Analysis stops working after MTA upgrade from 6.0.0 to 6.0.1

MTA-36 - Can't disable a proxy if it has an invalid configuration

MTA-44 - Make RWX volumes optional.

MTA-49 - Uploaded a local binary when return back to the page the UI should show green bar and correct %

MTA-59 - Getting error 401 if deleting many credentials quickly

MTA-65 - Set windup addon image pull policy to be controlled by the global image_pull_policy parameter

MTA-72 - CVE-2022-46175 mta-ui-container: json5: Prototype Pollution in JSON5 via Parse Method [mta-6]

MTA-73 - CVE-2022-37601 mta-ui-container: loader-utils: prototype pollution in function parseQuery in parseQuery.js [mta-6]

MTA-74 - CVE-2020-36567 mta-windup-addon-container: gin: Unsanitized input in the default logger in github.com/gin-gonic/gin [mta-6]

MTA-76 - CVE-2022-37603 mta-ui-container: loader-utils:Regular expression denial of service [mta-6]

MTA-77 - CVE-2020-36567 mta-hub-container: gin: Unsanitized input in the default logger in github.com/gin-gonic/gin [mta-6]

MTA-80 - CVE-2021-35065 mta-ui-container: glob-parent: Regular Expression Denial of Service [mta-6]

MTA-82 - CVE-2022-42920 org.jboss.windup-windup-cli-parent: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing [mta-6.0]

MTA-85 - CVE-2022-24999 mta-ui-container: express: "qs" prototype poisoning causes the hang of the node process [mta-6]

MTA-88 - CVE-2020-36567 mta-admin-addon-container: gin: Unsanitized input in the default logger in github.com/gin-gonic/gin [mta-6]

MTA-92 - CVE-2022-42920 org.jboss.windup.plugin-windup-maven-plugin-parent: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing [mta-6.0]

MTA-96 - [UI] Maven -> "Local artifact repository" textbox can be checked and has no tooltip


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved