-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Migration Toolkit for Runtimes security update Advisory ID: RHSA-2023:3373-02 Product: Migration Toolkit for Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2023:3373 Issue date: 2023-05-31 Updated on: 2023-06-02 CVE Names: CVE-2021-46877 CVE-2022-36227 CVE-2022-41854 CVE-2022-41881 CVE-2023-0361 CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 CVE-2023-27535 CVE-2023-28617 ===================================================================== 1. Summary: An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Migration Toolkit for Runtimes 1.1.0 Images Security Fix(es): * jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877) * dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854) * codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow 2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode 5. References: https://access.redhat.com/security/cve/CVE-2021-46877 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-41854 https://access.redhat.com/security/cve/CVE-2022-41881 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-21930 https://access.redhat.com/security/cve/CVE-2023-21937 https://access.redhat.com/security/cve/CVE-2023-21938 https://access.redhat.com/security/cve/CVE-2023-21939 https://access.redhat.com/security/cve/CVE-2023-21954 https://access.redhat.com/security/cve/CVE-2023-21967 https://access.redhat.com/security/cve/CVE-2023-21968 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/cve/CVE-2023-28617 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZHo3l9zjgjWX9erEAQgYdA//SADKLAg0PAE8F65a3yz+AiiOEK4xlP8W VOfcKZq5/EnsOvXz7ux0yy+2YxvYtRTZk/HtZ7q99CNiKxY6AbKzrHqRQD9w2Jxy Md+hFMvHcgLIqVtt9OZky14TnxU2+8G5viYFn3HKzWoXfrVHEjzZshBbjhDCGb3Z ncUJEVxHRsEv4DSxT5sobEMhn7MBI6S339mBYrGMch1dNem/2Jw0soQ6UG/uVHcU yoqkb/o8gR6boO/DXu7bKjOG2kizjL3bd51sSGr0BDEQoXbfBSSsTQTvqSLPN9gh 4b/vbZQ+Q944+AJ+NmSeoCSYoSIg6WQ2g+rpOPy64tJVuvGOb/k8CsGGioe+BIAe xeMyWIxrai0+GkZcaZkmmmoPOQCLVNNjvwB85nqXAbMDLiCfQOxxc3t04BOXnBDm Bcj03OEm4V3/EG4rXPAKcMYB9K4UZHYPtgU/xX7NjnNUYA3fiHUM6ok7kEAudd7H 6tFpeZhc3XuQy9fMPwnSwoz3w1sBNX9QE8/vGvuNyMfSQQesF1Wd1AYVWsjI8m+9 L5pIXOivLUsFWcbkk81764MyRSM9txMyE1y3bUc3XCAUedQuwSc1vjLBUYGu+Kmu DSv/GbKQSCLBqY2diNL/c3W4VWWUKzm93XoJtIsrfv3RNXMGf24PjQaDpaNtcCU6 tAyCy5WuTMo= =9mf1 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce