Home / mailings [RHSA-2022:6429-01] Important: Migration Toolkit for Containers (MTC) 1.7.4 security and bug fix update
Posted on 13 September 2022
RedHat===================================================================== Red Hat Security Advisory
Synopsis: Important: Migration Toolkit for Containers (MTC) 1.7.4 security and bug fix update
Advisory ID: RHSA-2022:6429-01
Product: Red Hat Migration Toolkit
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6429
Issue date: 2022-09-13
CVE Names: CVE-2018-25032 CVE-2019-5827 CVE-2019-13750
CVE-2019-13751 CVE-2019-17594 CVE-2019-17595
CVE-2019-18218 CVE-2019-19603 CVE-2019-20838
CVE-2020-8559 CVE-2020-13435 CVE-2020-14155
CVE-2020-15586 CVE-2020-16845 CVE-2020-24370
CVE-2020-28493 CVE-2020-28500 CVE-2021-3580
CVE-2021-3634 CVE-2021-3737 CVE-2021-4189
CVE-2021-20095 CVE-2021-20231 CVE-2021-20232
CVE-2021-23177 CVE-2021-23337 CVE-2021-25219
CVE-2021-31566 CVE-2021-36084 CVE-2021-36085
CVE-2021-36086 CVE-2021-36087 CVE-2021-40528
CVE-2021-42771 CVE-2022-0512 CVE-2022-0639
CVE-2022-0686 CVE-2022-0691 CVE-2022-1271
CVE-2022-1292 CVE-2022-1586 CVE-2022-1650
CVE-2022-1785 CVE-2022-1897 CVE-2022-1927
CVE-2022-2068 CVE-2022-2097 CVE-2022-2526
CVE-2022-24407 CVE-2022-25313 CVE-2022-25314
CVE-2022-29154 CVE-2022-29824 CVE-2022-30629
CVE-2022-30631 CVE-2022-32206 CVE-2022-32208
=====================================================================
1. Summary:
The Migration Toolkit for Containers (MTC) 1.7.4 is now available.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.
Security Fix(es):
* nodejs-url-parse: authorization bypass through user-controlled key
(CVE-2022-0512)
* npm-url-parse: Authorization bypass through user-controlled key
(CVE-2022-0686)
* npm-url-parse: authorization bypass through user-controlled key
(CVE-2022-0691)
* eventsource: Exposure of Sensitive Information (CVE-2022-1650)
* nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
(CVE-2020-28500)
* nodejs-lodash: command injection via template (CVE-2021-23337)
* npm-url-parse: Authorization Bypass Through User-Controlled Key
(CVE-2022-0639)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For details on how to install and use MTC, refer to:
https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1928937 - CVE-2021-23337 nodejs-lodash: command injection via template
1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
2054663 - CVE-2022-0512 nodejs-url-parse: authorization bypass through user-controlled key
2057442 - CVE-2022-0639 npm-url-parse: Authorization Bypass Through User-Controlled Key
2060018 - CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key
2060020 - CVE-2022-0691 npm-url-parse: authorization bypass through user-controlled key
2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
5. References:
https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2019-5827
https://access.redhat.com/security/cve/CVE-2019-13750
https://access.redhat.com/security/cve/CVE-2019-13751
https://access.redhat.com/security/cve/CVE-2019-17594
https://access.redhat.com/security/cve/CVE-2019-17595
https://access.redhat.com/security/cve/CVE-2019-18218
https://access.redhat.com/security/cve/CVE-2019-19603
https://access.redhat.com/security/cve/CVE-2019-20838
https://access.redhat.com/security/cve/CVE-2020-8559
https://access.redhat.com/security/cve/CVE-2020-13435
https://access.redhat.com/security/cve/CVE-2020-14155
https://access.redhat.com/security/cve/CVE-2020-15586
https://access.redhat.com/security/cve/CVE-2020-16845
https://access.redhat.com/security/cve/CVE-2020-24370
https://access.redhat.com/security/cve/CVE-2020-28493
https://access.redhat.com/security/cve/CVE-2020-28500
https://access.redhat.com/security/cve/CVE-2021-3580
https://access.redhat.com/security/cve/CVE-2021-3634
https://access.redhat.com/security/cve/CVE-2021-3737
https://access.redhat.com/security/cve/CVE-2021-4189
https://access.redhat.com/security/cve/CVE-2021-20095
https://access.redhat.com/security/cve/CVE-2021-20231
https://access.redhat.com/security/cve/CVE-2021-20232
https://access.redhat.com/security/cve/CVE-2021-23177
https://access.redhat.com/security/cve/CVE-2021-23337
https://access.redhat.com/security/cve/CVE-2021-25219
https://access.redhat.com/security/cve/CVE-2021-31566
https://access.redhat.com/security/cve/CVE-2021-36084
https://access.redhat.com/security/cve/CVE-2021-36085
https://access.redhat.com/security/cve/CVE-2021-36086
https://access.redhat.com/security/cve/CVE-2021-36087
https://access.redhat.com/security/cve/CVE-2021-40528
https://access.redhat.com/security/cve/CVE-2021-42771
https://access.redhat.com/security/cve/CVE-2022-0512
https://access.redhat.com/security/cve/CVE-2022-0639
https://access.redhat.com/security/cve/CVE-2022-0686
https://access.redhat.com/security/cve/CVE-2022-0691
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1650
https://access.redhat.com/security/cve/CVE-2022-1785
https://access.redhat.com/security/cve/CVE-2022-1897
https://access.redhat.com/security/cve/CVE-2022-1927
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-2526
https://access.redhat.com/security/cve/CVE-2022-24407
https://access.redhat.com/security/cve/CVE-2022-25313
https://access.redhat.com/security/cve/CVE-2022-25314
https://access.redhat.com/security/cve/CVE-2022-29154
https://access.redhat.com/security/cve/CVE-2022-29824
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-32206
https://access.redhat.com/security/cve/CVE-2022-32208
https://access.redhat.com/security/updates/classification/#important
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.