RedHat: RHSA-2022-5483:01 Moderate: Migration Toolkit for Containers (MTC)
Summary
The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.
Security Fix(es) from Bugzilla:
* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching
ANSI escape codes (CVE-2021-3807)
* node-fetch: exposure of sensitive information to an unauthorized actor
(CVE-2022-0235)
* follow-redirects: Exposure of Sensitive Information via Authorization
Header leak (CVE-2022-0536)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Summary
Solution
For details on how to install and use MTC, refer to:
https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html
References
https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2020-0404 https://access.redhat.com/security/cve/CVE-2020-4788 https://access.redhat.com/security/cve/CVE-2020-13974 https://access.redhat.com/security/cve/CVE-2020-19131 https://access.redhat.com/security/cve/CVE-2020-27820 https://access.redhat.com/security/cve/CVE-2020-35492 https://access.redhat.com/security/cve/CVE-2021-0941 https://access.redhat.com/security/cve/CVE-2021-3612 https://access.redhat.com/security/cve/CVE-2021-3634 https://access.redhat.com/security/cve/CVE-2021-3669 https://access.redhat.com/security/cve/CVE-2021-3737 https://access.redhat.com/security/cve/CVE-2021-3743 https://access.redhat.com/security/cve/CVE-2021-3744 https://access.redhat.com/security/cve/CVE-2021-3752 https://access.redhat.com/security/cve/CVE-2021-3759 https://access.redhat.com/security/cve/CVE-2021-3764 https://access.redhat.com/security/cve/CVE-2021-3772 https://access.redhat.com/security/cve/CVE-2021-3773 https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-4002 https://access.redhat.com/security/cve/CVE-2021-4037 https://access.redhat.com/security/cve/CVE-2021-4083 https://access.redhat.com/security/cve/CVE-2021-4157 https://access.redhat.com/security/cve/CVE-2021-4189 https://access.redhat.com/security/cve/CVE-2021-4197 https://access.redhat.com/security/cve/CVE-2021-4203 https://access.redhat.com/security/cve/CVE-2021-20322 https://access.redhat.com/security/cve/CVE-2021-21781 https://access.redhat.com/security/cve/CVE-2021-26401 https://access.redhat.com/security/cve/CVE-2021-29154 https://access.redhat.com/security/cve/CVE-2021-37159 https://access.redhat.com/security/cve/CVE-2021-41617 https://access.redhat.com/security/cve/CVE-2021-41864 https://access.redhat.com/security/cve/CVE-2021-42739 https://access.redhat.com/security/cve/CVE-2021-43056 https://access.redhat.com/security/cve/CVE-2021-43389 https://access.redhat.com/security/cve/CVE-2021-43976 https://access.redhat.com/security/cve/CVE-2021-44733 https://access.redhat.com/security/cve/CVE-2021-45485 https://access.redhat.com/security/cve/CVE-2021-45486 https://access.redhat.com/security/cve/CVE-2022-0001 https://access.redhat.com/security/cve/CVE-2022-0002 https://access.redhat.com/security/cve/CVE-2022-0235 https://access.redhat.com/security/cve/CVE-2022-0286 https://access.redhat.com/security/cve/CVE-2022-0322 https://access.redhat.com/security/cve/CVE-2022-0536 https://access.redhat.com/security/cve/CVE-2022-1011 https://access.redhat.com/security/cve/CVE-2022-1154 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-23852 https://access.redhat.com/security/cve/CVE-2022-26691 https://access.redhat.com/security/updates/classification/#moderate
Package List
Topic
The Migration Toolkit for Containers (MTC) 1.7.2 is now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
2038898 - [UI] ?Update Repository? option not getting disabled after adding the Replication Repository details to the MTC web console
2040693 - ?Replication repository? wizard has no validation for name length
2040695 - [MTC UI] ?Add Cluster? wizard stucks when the cluster name length is more than 63 characters2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2048537 - Exposed route host to image registry? connecting successfully to invalid registry ?xyz.com?
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
2055658 - [MTC UI] Cancel button on ?Migrations? page does not disappear when migration gets Failed/Succeeded with warnings
2056962 - [MTC UI] UI shows the wrong migration type info after changing the target namespace
2058172 - [MTC UI] Successful Rollback is not showing the green success icon in the ?Last State? field.
2058529 - [MTC UI] Migrations Plan is missing the type for the state migration performed before upgrade
2061335 - [MTC UI] ?Update cluster? button is not getting disabled
2062266 - MTC UI does not display logs properly [OADP-BL]
2062862 - [MTC UI] Clusters page behaving unexpectedly on deleting the remote cluster?s service account secret from backend
2074675 - HPAs of DeploymentConfigs are not being updated when migration from Openshift 3.x to Openshift 4.x
2076593 - Velero pod log missing from UI drop down
2076599 - Velero pod log missing from downloaded logs folder [OADP-BL]
2078459 - [MTC UI] Storageclass conversion plan is adding migstorage reference in migplan
2079252 - [MTC] Rsync options logs not visible in log-reader pod
2082221 - Don't allow Storage class conversion migration if source cluster has only one storage class defined [UI]
2082225 - non-numeric user when launching stage pods [OADP-BL]
2088022 - Default CPU requests on Velero/Restic are too demanding making scheduling fail in certain environments
2088026 - Cloud propagation phase in migration controller is not doing anything due to missing labels on Velero pods
2089126 - [MTC] Migration controller cannot find Velero Pod because of wrong labels
2089411 - [MTC] Log reader pod is missing velero and restic pod logs [OADP-BL]
2089859 - [Crane] DPA CR is missing the required flag - Migration is getting failed at the EnsureCloudSecretPropagated phase due to the missing secret VolumeMounts
2090317 - [MTC] mig-operator failed to create a DPA CR due to null values are passed instead of int [OADP-BL]
2096939 - Fix legacy operator.yml inconsistencies and errors2100486 - [MTC UI] Target storage class field is not getting respected when clusters don't have replication repo configured.