Synopsis
Important: Migration Toolkit for Applications security and bug fix update
Type/Severity
Security Advisory: Important
Topic
Migration Toolkit for Applications 6.1.0 release
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Migration Toolkit for Applications 6.1.0 Images
Security Fix(es):
- keycloak: path traversal via double URL encoding (CVE-2022-3782)
- spring-security-oauth4-client: Privilege Escalation in spring-security-oauth4-client (CVE-2022-31690)
- xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
- Apache CXF: SSRF Vulnerability (CVE-2022-46364)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
-
Red Hat Migration Toolkit for Applications 6 x86_64
Fixes
-
BZ - 2138971
- CVE-2022-3782 keycloak: path traversal via double URL encoding
-
BZ - 2155682
- CVE-2022-46364 Apache CXF: SSRF Vulnerability
-
BZ - 2162200
- CVE-2022-31690 spring-security-oauth4-client: Privilege Escalation in spring-security-oauth4-client
-
BZ - 2170431
- CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
-
MTA-118
- Automated tagging of resources with Windup
-
MTA-279
- All types of Source analysis is failing in MTA 6.1.0
-
MTA-311
- MTA operator fails to reconcile on a clean (non-upgrade) install
-
MTA-314
- PVCs may not provision if storageClassName is not set.
-
MTA-123
- MTA crashes cluster nodes when running bulk binary analysis due to requests and limits not being configurable
-
MTA-129
- User field in Manage Import is empty
-
MTA-160
- [Upstream] Maven Repositories "No QueryClient set, use QueryClientProvider to set one"
-
MTA-204
- Every http request made to tagtypes returns HTTP Status 404
-
MTA-256
- Update application import template
-
MTA-260
- [Regression] Application import through OOTB import template fails
-
MTA-261
- [Regression] UI incorrectly reports target applications have in-progress/complete assessment
-
MTA-263
- [Regression] Discard assessment option present even when assessment is not complete
-
MTA-267
- Analysis EAP targets should include eap8
-
MTA-268
- RFE: Automated Tagging details to add on Review analysis details page
-
MTA-28
- Success Alert is not displayed when subsequent analysis are submitted
-
MTA-282
- Discarding review results in 404 error
-
MTA-283
- Sorting broken on Application inventory page
-
MTA-284
- HTML reports download with no files in reports and stats folders
-
MTA-29
- Asterisk on Description while creating a credentials should be removed
-
MTA-297
- [Custom migration targets] Cannot upload JPG file as an icon
-
MTA-298
- [Custom migration targets] Unclear error when uploading image greater than 1Mb of size
-
MTA-299
- [RFE][Custom migration targets] Assign an icon: Add image max size in the note under the image name
-
MTA-300
- [Custom rules] Cannot upload more than one rules file
-
MTA-303
- [UI][Custom migration targets] The word "Please" should be removed from the error message about existing custom target name
-
MTA-304
- [Custom rules] Failed analysis when retrieving custom rules files from a repository
-
MTA-306
- MTA allows the uploading of multiple binaries for analysis
-
MTA-330
- With auth disabled, 'username' seen in the persona dropdown
-
MTA-332
- Tagging: Few Tags are highlighted with color
-
MTA-34
- Cannot filter by Business Service when copying assessments
-
MTA-345
- [Custom migration targets] Error message "imageID must be defined" is displayed when uploading image
-
MTA-35
- Only the first notification is displayed when discarding multiple copied assessments
-
MTA-350
- Maven Central links from the dependencies tab in reports seem to be broken
-
MTA-351
- AspectJ is not identified as an Open Source Library
-
MTA-356
- The inventory view has to be refreshed for the tags that were assigned by an analysis to appear
-
MTA-363
- [UI][Custom migration targets] "Repository type" field name is missing
-
MTA-364
- [Custom migration targets] Unknown image file when editing a custom migration target
-
MTA-366
- Tagging: For no tags attached "filter by" can be improved
-
MTA-367
- [Custom migration targets] Cannot use a custom migration target in analysis
-
MTA-369
- Custom migration targets: HTML elements are duplicated
-
MTA-375
- Run button does not execute the analysis
-
MTA-377
- [UI][Custom rules] Custom rules screen of the analysis configuration wizard is always marked as required
-
MTA-378
- [UI][Custom rules] Info message on the Custom rules screen is not updated
-
MTA-38
- Only the first notification is displayed when multiple files are imported.
-
MTA-381
- Custom Rules: When try to update Add rules the Error alert is displayed
-
MTA-382
- Custom Rules: Sometimes able to upload duplicate rules files
-
MTA-388
- CSV reports download empty when enabling the option after an analysis
-
MTA-389
- [Custom rules in Analysis] Failed analysis when retrieving custom rules files from a private repository
-
MTA-391
- [Custom rules in Analysis] Targets from uploaded rules file are not removed once the file is removed
-
MTA-392
- Unable to see all custom migration targets when using a vertical monitor
-
MTA-41
- [UI] Failed to refresh token if Keycloak feature "Use Refresh Tokens" is off
-
MTA-412
- Display alert message before reviewing an already reviewed application
-
MTA-428
- [Custom Rules] MTA analysis custom rules conflict message
-
MTA-430
- Analysis wizard: Next button should be enabled only after at least one target is selected
-
MTA-438
- Tagging: Retrieving tags needs a loading indicator
-
MTA-439
- [Regression][Custom rules] Failed to run analysis with custom rules from a repository
-
MTA-443
- Custom rules: Add button can be disabled until duplicate rule file is removed
-
MTA-50
- RFE: Replace the MTA acronym in the title with "Migration Toolkit for Applications"
-
MTA-51
- RFE: " Select the list of packages to be analyzed manually" to modify the title
-
MTA-52
- [RFE] We can change "Not associated artifact" to "No associated artifact"
-
MTA-55
- Can't choose a custom rule via a file explorer(mac OS finder) in Tackle 2.0
-
MTA-99
- Unable to use root path during checking for maven dependencies
-
MTA-78
- CVE-2022-46364 org.keycloak-keycloak-parent: Apache CXF: SSRF Vulnerability [mta-6.0]