Moderate: Migration Toolkit for Containers (MTC) 1.7.6 security and bug fix update

Topic

The Migration Toolkit for Containers (MTC) 1.7.6 is now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.

Security Fix(es) from Bugzilla:

• golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
• golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
• golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
• golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
• golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
• golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
• golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
• golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
• golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

Affected Products

• Red Hat Migration Toolkit 1 for RHEL 8 x86_64

Fixes

• BZ - 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
• BZ - 2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
• BZ - 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
• BZ - 2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
• BZ - 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
• BZ - 2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
• BZ - 2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
• BZ - 2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
• BZ - 2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
• BZ - 2132957 - Migration fails at UnQuiesceDestApplications step in OCP 4.12
• BZ - 2137304 - Location for host cluster is missing in the UI
• BZ - 2140208 - When editing a MigHook in the UI, the page may fail to reload
• BZ - 2143628 - Unable to create Storage Class Conversion plan due to missing cronjob error in OCP 4.12
• BZ - 2143872 - Namespaces page in web console stuck in loading phase
• BZ - 2149920 - Migration fails at prebackupHooks step
• MIG-1240 - Implement proposed changes for DVM support with PSAs in 4.12

CVEs

• CVE-2016-3709
• CVE-2020-28851
• CVE-2020-28852
• CVE-2020-35525
• CVE-2020-35527
• CVE-2022-0561
• CVE-2022-0562
• CVE-2022-0865
• CVE-2022-0891
• CVE-2022-0908
• CVE-2022-0909
• CVE-2022-0924
• CVE-2022-1122
• CVE-2022-1304
• CVE-2022-1355
• CVE-2022-1705
• CVE-2022-1962
• CVE-2022-2509
• CVE-2022-3515
• CVE-2022-22624
• CVE-2022-22628
• CVE-2022-22629
• CVE-2022-22662
• CVE-2022-22844
• CVE-2022-25308
• CVE-2022-25309
• CVE-2022-25310
• CVE-2022-26700
• CVE-2022-26709
• CVE-2022-26710
• CVE-2022-26716
• CVE-2022-26717
• CVE-2022-26719
• CVE-2022-27404
• CVE-2022-27405
• CVE-2022-27406
• CVE-2022-27664
• CVE-2022-28131
• CVE-2022-30293
• CVE-2022-30629
• CVE-2022-30630
• CVE-2022-30632
• CVE-2022-30633
• CVE-2022-30635
• CVE-2022-32148
• CVE-2022-32189
• CVE-2022-37434
• CVE-2022-42898

References

• https://access.redhat.com/security/updates/classification/#moderate