-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Migration Toolkit for Containers (MTC) 1.7.4 security and bug fix update Advisory ID: RHSA-2022:6429-01 Product: Red Hat Migration Toolkit Advisory URL: https://access.redhat.com/errata/RHSA-2022:6429 Issue date: 2022-09-13 CVE Names: CVE-2018-25032 CVE-2019-5827 CVE-2019-13750 CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 CVE-2020-8559 CVE-2020-13435 CVE-2020-14155 CVE-2020-15586 CVE-2020-16845 CVE-2020-24370 CVE-2020-28493 CVE-2020-28500 CVE-2021-3580 CVE-2021-3634 CVE-2021-3737 CVE-2021-4189 CVE-2021-20095 CVE-2021-20231 CVE-2021-20232 CVE-2021-23177 CVE-2021-23337 CVE-2021-25219 CVE-2021-31566 CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 CVE-2021-40528 CVE-2021-42771 CVE-2022-0512 CVE-2022-0639 CVE-2022-0686 CVE-2022-0691 CVE-2022-1271 CVE-2022-1292 CVE-2022-1586 CVE-2022-1650 CVE-2022-1785 CVE-2022-1897 CVE-2022-1927 CVE-2022-2068 CVE-2022-2097 CVE-2022-2526 CVE-2022-24407 CVE-2022-25313 CVE-2022-25314 CVE-2022-29154 CVE-2022-29824 CVE-2022-30629 CVE-2022-30631 CVE-2022-32206 CVE-2022-32208 ===================================================================== 1. Summary: The Migration Toolkit for Containers (MTC) 1.7.4 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Security Fix(es): * nodejs-url-parse: authorization bypass through user-controlled key (CVE-2022-0512) * npm-url-parse: Authorization bypass through user-controlled key (CVE-2022-0686) * npm-url-parse: authorization bypass through user-controlled key (CVE-2022-0691) * eventsource: Exposure of Sensitive Information (CVE-2022-1650) * nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions (CVE-2020-28500) * nodejs-lodash: command injection via template (CVE-2021-23337) * npm-url-parse: Authorization Bypass Through User-Controlled Key (CVE-2022-0639) * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to install and use MTC, refer to: https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 2054663 - CVE-2022-0512 nodejs-url-parse: authorization bypass through user-controlled key 2057442 - CVE-2022-0639 npm-url-parse: Authorization Bypass Through User-Controlled Key 2060018 - CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key 2060020 - CVE-2022-0691 npm-url-parse: authorization bypass through user-controlled key 2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 5. References: https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2019-5827 https://access.redhat.com/security/cve/CVE-2019-13750 https://access.redhat.com/security/cve/CVE-2019-13751 https://access.redhat.com/security/cve/CVE-2019-17594 https://access.redhat.com/security/cve/CVE-2019-17595 https://access.redhat.com/security/cve/CVE-2019-18218 https://access.redhat.com/security/cve/CVE-2019-19603 https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-8559 https://access.redhat.com/security/cve/CVE-2020-13435 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/cve/CVE-2020-15586 https://access.redhat.com/security/cve/CVE-2020-16845 https://access.redhat.com/security/cve/CVE-2020-24370 https://access.redhat.com/security/cve/CVE-2020-28493 https://access.redhat.com/security/cve/CVE-2020-28500 https://access.redhat.com/security/cve/CVE-2021-3580 https://access.redhat.com/security/cve/CVE-2021-3634 https://access.redhat.com/security/cve/CVE-2021-3737 https://access.redhat.com/security/cve/CVE-2021-4189 https://access.redhat.com/security/cve/CVE-2021-20095 https://access.redhat.com/security/cve/CVE-2021-20231 https://access.redhat.com/security/cve/CVE-2021-20232 https://access.redhat.com/security/cve/CVE-2021-23177 https://access.redhat.com/security/cve/CVE-2021-23337 https://access.redhat.com/security/cve/CVE-2021-25219 https://access.redhat.com/security/cve/CVE-2021-31566 https://access.redhat.com/security/cve/CVE-2021-36084 https://access.redhat.com/security/cve/CVE-2021-36085 https://access.redhat.com/security/cve/CVE-2021-36086 https://access.redhat.com/security/cve/CVE-2021-36087 https://access.redhat.com/security/cve/CVE-2021-40528 https://access.redhat.com/security/cve/CVE-2021-42771 https://access.redhat.com/security/cve/CVE-2022-0512 https://access.redhat.com/security/cve/CVE-2022-0639 https://access.redhat.com/security/cve/CVE-2022-0686 https://access.redhat.com/security/cve/CVE-2022-0691 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1650 https://access.redhat.com/security/cve/CVE-2022-1785 https://access.redhat.com/security/cve/CVE-2022-1897 https://access.redhat.com/security/cve/CVE-2022-1927 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-2526 https://access.redhat.com/security/cve/CVE-2022-24407 https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/cve/CVE-2022-29154 https://access.redhat.com/security/cve/CVE-2022-29824 https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-32206 https://access.redhat.com/security/cve/CVE-2022-32208 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYyAtcdzjgjWX9erEAQgJhg/5AV9WJmzuYMrSepeTb/4U1ByaKOyTBDFD 6tP0664gSve8r4jyUSPH7jLh3ucnr5oixoGRaYIv1velZBjwShKkNx0xYZJLJFr7 ePL+JiiE6MeqkWWD6X+wC4dgfaplvKxqt+bEVPm9F3wUB96rIFwyrJ4IscW1rbFP MePUesukKWoxAqQhNOUT2AvaOxHKzSlvmHG2vKt99olmosxYMWwUwZuN89kIYv75 GkkOUjL11GtuOnbeppwgPkzC2Z5cdgQRb7J15msVyFiC/wjaJHzkBFvUt+JUdJI1 OQ3VYHd5+m2c3Y7nC46WAhATCoubAIFYhV5K+om6GnegYRXL6KrIu+S75gq0hWq9 UKZHSLYO17NlXp5ycUZyJ8AxuZK2WkgXpSZRyDa3/+yYXNtU1UoIIt7wiN0Jc3pL 81PHYvevKZTbaZEjqAPskhHkCR59vZlcqNGs2LNmlmxI87ACpMRG3faA5q+HXuPF nhiu74ydCdqngtv6QBOChFO70m6EY0kaUwU7si85vmSDMYIJxn+/iJl/g9zejHVl Rofhxo/IihgJwJR3QhA2H/b6Uku69J5Q9kE4b/cEG1oSJPdFTXxh/BL+HG+YZVGk 1aFKIIeM0Hrl0PmlIqMJQiJrfGk0j90pBaYX+2fH3fk6I/BCg/Fwq502WjePJZA+ okz03xUX5M4= =mxFS -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce