Home / mailings [RHSA-2023:2107-01] Moderate: Migration Toolkit for Containers (MTC) 1.7.9 security and bug fix update
Posted on 04 May 2023
RedHat===================================================================== Red Hat Security Advisory
Synopsis: Moderate: Migration Toolkit for Containers (MTC) 1.7.9 security and bug fix update
Advisory ID: RHSA-2023:2107-01
Product: Red Hat Migration Toolkit
Advisory URL: https://access.redhat.com/errata/RHSA-2023:2107
Issue date: 2023-05-04
CVE Names: CVE-2022-4304 CVE-2022-4450 CVE-2022-41724
CVE-2022-41725 CVE-2023-0215 CVE-2023-0286
CVE-2023-0361 CVE-2023-23916 CVE-2023-25173
CVE-2023-28617
=====================================================================
1. Summary:
The Migration Toolkit for Containers (MTC) 1.7.9 is now available.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.
Security Fix(es) from Bugzilla:
* golang: crypto/tls: large handshake records may cause panics
(CVE-2022-41724)
* golang: net/http, mime/multipart: denial of service from excessive
resource consumption (CVE-2022-41725)
* containerd: Supplementary groups are not set up properly (CVE-2023-25173)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
5. References:
https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-41724
https://access.redhat.com/security/cve/CVE-2022-41725
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-23916
https://access.redhat.com/security/cve/CVE-2023-25173
https://access.redhat.com/security/cve/CVE-2023-28617
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
