exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2022-6429-01

Red Hat Security Advisory 2022-6429-01
Posted Sep 13, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-6429-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include bypass, code execution, and denial of service vulnerabilities.

tags | advisory, web, denial of service, vulnerability, code execution
systems | linux, redhat
advisories | CVE-2018-25032, CVE-2019-13750, CVE-2019-13751, CVE-2019-17594, CVE-2019-17595, CVE-2019-18218, CVE-2019-19603, CVE-2019-20838, CVE-2019-5827, CVE-2020-13435, CVE-2020-14155, CVE-2020-15586, CVE-2020-16845, CVE-2020-24370
SHA-256 | 97d00be8290b2a65989161b47f8aa4313ba4132452bc72e5a92601cc91b50aa6

Red Hat Security Advisory 2022-6429-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Migration Toolkit for Containers (MTC) 1.7.4 security and bug fix update
Advisory ID: RHSA-2022:6429-01
Product: Red Hat Migration Toolkit
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6429
Issue date: 2022-09-13
CVE Names: CVE-2018-25032 CVE-2019-5827 CVE-2019-13750
CVE-2019-13751 CVE-2019-17594 CVE-2019-17595
CVE-2019-18218 CVE-2019-19603 CVE-2019-20838
CVE-2020-8559 CVE-2020-13435 CVE-2020-14155
CVE-2020-15586 CVE-2020-16845 CVE-2020-24370
CVE-2020-28493 CVE-2020-28500 CVE-2021-3580
CVE-2021-3634 CVE-2021-3737 CVE-2021-4189
CVE-2021-20095 CVE-2021-20231 CVE-2021-20232
CVE-2021-23177 CVE-2021-23337 CVE-2021-25219
CVE-2021-31566 CVE-2021-36084 CVE-2021-36085
CVE-2021-36086 CVE-2021-36087 CVE-2021-40528
CVE-2021-42771 CVE-2022-0512 CVE-2022-0639
CVE-2022-0686 CVE-2022-0691 CVE-2022-1271
CVE-2022-1292 CVE-2022-1586 CVE-2022-1650
CVE-2022-1785 CVE-2022-1897 CVE-2022-1927
CVE-2022-2068 CVE-2022-2097 CVE-2022-2526
CVE-2022-24407 CVE-2022-25313 CVE-2022-25314
CVE-2022-29154 CVE-2022-29824 CVE-2022-30629
CVE-2022-30631 CVE-2022-32206 CVE-2022-32208
=====================================================================

1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.4 is now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es):

* nodejs-url-parse: authorization bypass through user-controlled key
(CVE-2022-0512)

* npm-url-parse: Authorization bypass through user-controlled key
(CVE-2022-0686)

* npm-url-parse: authorization bypass through user-controlled key
(CVE-2022-0691)

* eventsource: Exposure of Sensitive Information (CVE-2022-1650)

* nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
(CVE-2020-28500)

* nodejs-lodash: command injection via template (CVE-2021-23337)

* npm-url-parse: Authorization Bypass Through User-Controlled Key
(CVE-2022-0639)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1928937 - CVE-2021-23337 nodejs-lodash: command injection via template
1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
2054663 - CVE-2022-0512 nodejs-url-parse: authorization bypass through user-controlled key
2057442 - CVE-2022-0639 npm-url-parse: Authorization Bypass Through User-Controlled Key
2060018 - CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key
2060020 - CVE-2022-0691 npm-url-parse: authorization bypass through user-controlled key
2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2019-5827
https://access.redhat.com/security/cve/CVE-2019-13750
https://access.redhat.com/security/cve/CVE-2019-13751
https://access.redhat.com/security/cve/CVE-2019-17594
https://access.redhat.com/security/cve/CVE-2019-17595
https://access.redhat.com/security/cve/CVE-2019-18218
https://access.redhat.com/security/cve/CVE-2019-19603
https://access.redhat.com/security/cve/CVE-2019-20838
https://access.redhat.com/security/cve/CVE-2020-8559
https://access.redhat.com/security/cve/CVE-2020-13435
https://access.redhat.com/security/cve/CVE-2020-14155
https://access.redhat.com/security/cve/CVE-2020-15586
https://access.redhat.com/security/cve/CVE-2020-16845
https://access.redhat.com/security/cve/CVE-2020-24370
https://access.redhat.com/security/cve/CVE-2020-28493
https://access.redhat.com/security/cve/CVE-2020-28500
https://access.redhat.com/security/cve/CVE-2021-3580
https://access.redhat.com/security/cve/CVE-2021-3634
https://access.redhat.com/security/cve/CVE-2021-3737
https://access.redhat.com/security/cve/CVE-2021-4189
https://access.redhat.com/security/cve/CVE-2021-20095
https://access.redhat.com/security/cve/CVE-2021-20231
https://access.redhat.com/security/cve/CVE-2021-20232
https://access.redhat.com/security/cve/CVE-2021-23177
https://access.redhat.com/security/cve/CVE-2021-23337
https://access.redhat.com/security/cve/CVE-2021-25219
https://access.redhat.com/security/cve/CVE-2021-31566
https://access.redhat.com/security/cve/CVE-2021-36084
https://access.redhat.com/security/cve/CVE-2021-36085
https://access.redhat.com/security/cve/CVE-2021-36086
https://access.redhat.com/security/cve/CVE-2021-36087
https://access.redhat.com/security/cve/CVE-2021-40528
https://access.redhat.com/security/cve/CVE-2021-42771
https://access.redhat.com/security/cve/CVE-2022-0512
https://access.redhat.com/security/cve/CVE-2022-0639
https://access.redhat.com/security/cve/CVE-2022-0686
https://access.redhat.com/security/cve/CVE-2022-0691
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1650
https://access.redhat.com/security/cve/CVE-2022-1785
https://access.redhat.com/security/cve/CVE-2022-1897
https://access.redhat.com/security/cve/CVE-2022-1927
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-2526
https://access.redhat.com/security/cve/CVE-2022-24407
https://access.redhat.com/security/cve/CVE-2022-25313
https://access.redhat.com/security/cve/CVE-2022-25314
https://access.redhat.com/security/cve/CVE-2022-29154
https://access.redhat.com/security/cve/CVE-2022-29824
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-32206
https://access.redhat.com/security/cve/CVE-2022-32208
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYyAtcdzjgjWX9erEAQgJhg/5AV9WJmzuYMrSepeTb/4U1ByaKOyTBDFD
6tP0664gSve8r4jyUSPH7jLh3ucnr5oixoGRaYIv1velZBjwShKkNx0xYZJLJFr7
ePL+JiiE6MeqkWWD6X+wC4dgfaplvKxqt+bEVPm9F3wUB96rIFwyrJ4IscW1rbFP
MePUesukKWoxAqQhNOUT2AvaOxHKzSlvmHG2vKt99olmosxYMWwUwZuN89kIYv75
GkkOUjL11GtuOnbeppwgPkzC2Z5cdgQRb7J15msVyFiC/wjaJHzkBFvUt+JUdJI1
OQ3VYHd5+m2c3Y7nC46WAhATCoubAIFYhV5K+om6GnegYRXL6KrIu+S75gq0hWq9
UKZHSLYO17NlXp5ycUZyJ8AxuZK2WkgXpSZRyDa3/+yYXNtU1UoIIt7wiN0Jc3pL
81PHYvevKZTbaZEjqAPskhHkCR59vZlcqNGs2LNmlmxI87ACpMRG3faA5q+HXuPF
nhiu74ydCdqngtv6QBOChFO70m6EY0kaUwU7si85vmSDMYIJxn+/iJl/g9zejHVl
Rofhxo/IihgJwJR3QhA2H/b6Uku69J5Q9kE4b/cEG1oSJPdFTXxh/BL+HG+YZVGk
1aFKIIeM0Hrl0PmlIqMJQiJrfGk0j90pBaYX+2fH3fk6I/BCg/Fwq502WjePJZA+
okz03xUX5M4=
=mxFS
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close