-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Migration Toolkit for Containers (MTC) 1.6.0 security & bugfix update Advisory ID: RHSA-2021:3694-01 Product: Red Hat Migration Toolkit Advisory URL: https://access.redhat.com/errata/RHSA-2021:3694 Issue date: 2021-09-29 CVE Names: CVE-2021-3749 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-36222 CVE-2021-37576 CVE-2021-37750 CVE-2021-38201 ===================================================================== 1. Summary: The Migration Toolkit for Containers (MTC) 1.6.0 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Security fixes: * nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to install and use MTC, refer to: https://docs.openshift.com/container-platform/4.8/migration_toolkit_for_con tainers/installing-mtc.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1878824 - Web console is not accessible when deployed on OpenShift cluster on IBM Cloud 1887526 - "Stage" pods fail when migrating from classic OpenShift source cluster on IBM Cloud with block storage 1899562 - MigMigration custom resource does not display an error message when a migration fails because of volume mount error 1936886 - Service account token of existing remote cluster cannot be updated by using the web console 1936894 - "Ready" status of MigHook and MigPlan custom resources is not synchronized automatically 1949117 - "Migration plan resources" page displays a permanent error message when a migration plan is deleted from the backend 1951869 - MigPlan custom resource does not detect invalid source cluster reference 1968621 - Paused deployment config causes a migration to hang 1970338 - Parallel migrations fail because the initial backup is missing 1974737 - Migration plan name length in the "Migration plan" wizard is not validated 1975369 - "Debug view" link text on "Migration plans" page can be improved 1975372 - Destination namespace in MigPlan custom resource is not validated 1976895 - Namespace mapping cannot be changed using the Migration Plan wizard 1981810 - "Excluded" resources are not excluded from the migration 1982026 - Direct image migration fails if the source URI contains a double slash ("//") 1994985 - Web console crashes when a MigPlan custom resource is created with an empty namespaces list 1996169 - When "None" is selected as the target storage class in the web console, the setting is ignored and the default storage class is used 1996627 - MigPlan custom resource displays a "PvUsageAnalysisFailed" warning after a successful PVC migration 1996784 - "Migration resources" tree on the "Migration details" page is not displayed 1996902 - "Select all" checkbox on the "Namespaces" page of the "Migration plan" wizard remains selected after a namespace is unselected 1996904 - "Migration" dialogs on the "Migration plans" page display inconsistent capitalization 1996906 - "Migration details" page link is displayed for a migration plan with no associated migrations 1996938 - Search function on "Migration plans" page displays no results 1997051 - Indirect migration from MTC 1.5.1 to 1.6.0 fails during "StageBackup" phase 1997127 - Direct volume migration "retry" feature does not work correctly after a network failure 1997173 - Migration of custom resource definitions to OpenShift Container Platform 4.9 fails because of API version incompatibility 1997180 - "migration-log-reader" pod does not log invalid Rsync options 1997665 - Selected PVCs in the "State migration" dialog are reset because of background polling 1997694 - "Update operator" link on the "Clusters" page is incorrect 1997827 - "Migration plan" wizard displays PVC names incorrectly formatted after running state migration 1998062 - Rsync pod uses upstream image 1998283 - "Migration step details" link on the "Migrations" page does not work 1998550 - "Migration plan" wizard does not support certain screen resolutions 1998581 - "Migration details" link on "Migration plans" page displays "latestIsFailed" error 1999113 - "oc describe" and "oc log" commands on "Migration resources" tree cannot be copied after failed migration 1999381 - MigPlan custom resource displays "Stage completed with warnings" status after successful migration 1999528 - Position of the "Add migration plan" button is different from the other "Add" buttons 1999765 - "Migrate" button on "State migration" dialog is enabled when no PVCs are selected 1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function 2000205 - "Options" menu on the "Migration details" page displays incorrect items 2000218 - Validation incorrectly blocks namespace mapping if a source cluster namespace is the same as the destination namespace 2000243 - "Migration plan" wizard does not allow a migration within the same cluster 2000644 - Invalid migration plan causes "controller" pod to crash 2000875 - State migration status on "Migrations" page displays "Stage succeeded" message 2000979 - "clusterIPs" parameter of "service" object can cause Velero errors 2001089 - Direct volume migration fails because of missing CA path configuration 2001173 - Migration plan requires two clusters 2001786 - Migration fails during "Stage Backup" step because volume path on host not found 2001829 - Migration does not complete when the namespace contains a cron job with a PVC 2001941 - Fixing PVC conflicts in state migration plan using the web console causes the migration to run twice 2002420 - "Stage" pod not created for completed application pod, causing the "mig-controller" to stall 2002608 - Migration of unmounted PVC fails during "StageBackup" phase 2002897 - Rollback migration does not complete when the namespace contains a cron job 2003603 - "View logs" dialog displays the "--selector" option, which does not print all logs 2004601 - Migration plan status on "Migration plans" page is "Ready" after migration completed with warnings 2004923 - Web console displays "New operator version available" notification for incorrect operator 2005143 - Combining Rsync and Stunnel in a single pod can degrade performance 2006316 - Web console cannot create migration plan in a proxy environment 2007175 - Web console cannot be launched in a proxy environment 5. JIRA issues fixed (https://issues.jboss.org/): MIG-785 - Search for "Crane" in the Operator Hub should display the Migration Toolkit for Containers 6. References: https://access.redhat.com/security/cve/CVE-2021-3749 https://access.redhat.com/security/cve/CVE-2021-22922 https://access.redhat.com/security/cve/CVE-2021-22923 https://access.redhat.com/security/cve/CVE-2021-22924 https://access.redhat.com/security/cve/CVE-2021-36222 https://access.redhat.com/security/cve/CVE-2021-37576 https://access.redhat.com/security/cve/CVE-2021-37750 https://access.redhat.com/security/cve/CVE-2021-38201 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYVR6S9zjgjWX9erEAQi/IA//dibbtB8S9jJNYE0BubOEXKOsDzAvcl1+ M328ShvUYB2/PuAwayXMbic6Cp3mN1vI9hqkV+HBLzpPD20f0j+4mrLBanKyTinR /UwQEoTX9JemhrHGdqDl47hLbTIWQkX39LGO99UYjqOfYSd3nb5KHE+SZI/xBFST esmFnfyWOSjdwt7RmOjPWkWoGN8WIm3VvzhyhZU2tuis33Pl5gGBoniDBs6Za+Qg 21E3Da7aK205WSMgmUdkX2R2neZG/xto9Kb3xDDk0yBXvprUz6WcqL4OUAS1IoTk naMS4BKxR1NmfKj1hPlinCQ1N4UWIGdaMfiUAwz3oR7FSubmoKCixrQTQqeRy/qB MSf1cvrwiNCdUR7lI4NNEZ9SMDO/ItD7CbjzkRGXTRWkm03BnxIFxFZFEk0aBh7p drFksMF5by1nzA10X2D1Q014MHcNnEWlr6pk5qJ029l0j+dqS/ebacOipmlslBR2 9MgIIFc5w2y+Va3sHuVwxfIhFyU9scVzO5J/7XIubvIF1UpvLrOxgCrPPqUrjpo/ ZMRm5jMj+QWbL2IfUzwPjujkLesaOt/zuOGnXioVfS2AOdd/+S6mhspyTUCcBLFM xMqBWYzjFlYF7HCAztMBmQP6mocEthLL8bD39QHFeBKJ/1zRcP9GzJ1qqDfp1i/j Afm7wBmuFk0= =NYhu -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce