Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.3174
Migration Toolkit for Runtimes security update
5 June 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Migration Toolkit for Runtimes
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2023-28617 CVE-2023-27535 CVE-2023-21968
CVE-2023-21967 CVE-2023-21954 CVE-2023-21939
CVE-2023-21938 CVE-2023-21937 CVE-2023-21930
CVE-2023-0361 CVE-2022-41881 CVE-2022-41854
CVE-2022-36227 CVE-2021-46877
Original Bulletin:
https://access.redhat.com/errata/RHSA-2023:3373
Comment: CVSS (Max): 7.8 CVE-2023-28617 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Migration Toolkit for Runtimes security update
Advisory ID: RHSA-2023:3373-02
Product: Migration Toolkit for Runtimes
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3373
Issue date: 2023-05-31
Updated on: 2023-06-02
CVE Names: CVE-2021-46877 CVE-2022-36227 CVE-2022-41854
CVE-2022-41881 CVE-2023-0361 CVE-2023-21930
CVE-2023-21937 CVE-2023-21938 CVE-2023-21939
CVE-2023-21954 CVE-2023-21967 CVE-2023-21968
CVE-2023-27535 CVE-2023-28617
=====================================================================
1. Summary:
An update for mtr-operator-bundle-container, mtr-operator-container,
mtr-web-container, and mtr-web-executor-container is now available for
Migration Toolkit for Runtimes 1 on RHEL 8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Migration Toolkit for Runtimes 1.1.0 Images
Security Fix(es):
* jackson-databind: Possible DoS if using JDK serialization to serialize
JsonNode (CVE-2021-46877)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
(CVE-2022-41881)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow
2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
5. References:
https://access.redhat.com/security/cve/CVE-2021-46877
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-41854
https://access.redhat.com/security/cve/CVE-2022-41881
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-21930
https://access.redhat.com/security/cve/CVE-2023-21937
https://access.redhat.com/security/cve/CVE-2023-21938
https://access.redhat.com/security/cve/CVE-2023-21939
https://access.redhat.com/security/cve/CVE-2023-21954
https://access.redhat.com/security/cve/CVE-2023-21967
https://access.redhat.com/security/cve/CVE-2023-21968
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/cve/CVE-2023-28617
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZHo3l9zjgjWX9erEAQgYdA//SADKLAg0PAE8F65a3yz+AiiOEK4xlP8W
VOfcKZq5/EnsOvXz7ux0yy+2YxvYtRTZk/HtZ7q99CNiKxY6AbKzrHqRQD9w2Jxy
Md+hFMvHcgLIqVtt9OZky14TnxU2+8G5viYFn3HKzWoXfrVHEjzZshBbjhDCGb3Z
ncUJEVxHRsEv4DSxT5sobEMhn7MBI6S339mBYrGMch1dNem/2Jw0soQ6UG/uVHcU
yoqkb/o8gR6boO/DXu7bKjOG2kizjL3bd51sSGr0BDEQoXbfBSSsTQTvqSLPN9gh
4b/vbZQ+Q944+AJ+NmSeoCSYoSIg6WQ2g+rpOPy64tJVuvGOb/k8CsGGioe+BIAe
xeMyWIxrai0+GkZcaZkmmmoPOQCLVNNjvwB85nqXAbMDLiCfQOxxc3t04BOXnBDm
Bcj03OEm4V3/EG4rXPAKcMYB9K4UZHYPtgU/xX7NjnNUYA3fiHUM6ok7kEAudd7H
6tFpeZhc3XuQy9fMPwnSwoz3w1sBNX9QE8/vGvuNyMfSQQesF1Wd1AYVWsjI8m+9
L5pIXOivLUsFWcbkk81764MyRSM9txMyE1y3bUc3XCAUedQuwSc1vjLBUYGu+Kmu
DSv/GbKQSCLBqY2diNL/c3W4VWWUKzm93XoJtIsrfv3RNXMGf24PjQaDpaNtcCU6
tAyCy5WuTMo=
=9mf1
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZH1FKckNZI30y1K9AQjqvhAAjkSMU6SVymBXsu00MaDxXkIivOBdfpHD
i9dSJHqtUix/zCY3BhUPvDhbidJCKmErjmZpENT0OG0rGPJ7VTqyhzETT+x6siYl
ekiIN/7F2Yuokq/Y3ndAtwDXt2di9weyzC3VG5w+Wk4XJRCRJPQOGXPOheda93OU
fyt3h3KlN16UBEOHPnS5YsbqdYDq9gQq2UxKqNBk+kL9TSkZFxJQQYVq92fJmnWE
XdQyoeVY8uIVOzPr/nGeAbWXxxBEPBC9WeA7t7RNhDtRjB6nErYWZmsK91f7bdNJ
qWd4ZZ2NVUBsxbq2i448N0vOgK8hZJRxh/I0o7T6fJ6d5D6sJIFmyA68n+/V97Ni
m4b6OzHjBoVY2A2nTsLxXyB9NdhTUc0NWdUq19nFW9LefVaKfz9pbIrKjEislvWx
fK4x/ACsTL3dLW2ABh65e0cKnxasRCSxiJJow2gwPeY5fOHRYKmYx/QZp/Wwo7Km
e1AxTEFOo5mNqacY16mmsnAVO5/mhzZpPEyCccRmuag+5SaPOePco8XzNj+bVwau
GkWELiBO5n9QKTLt0B69GGJjerAIgMC/gmQvJcSgqqS3JvwP5RZLcZtWrlXl+wki
ndWohMpwaeUEDyoQoIfr3CQbBM5qnn4e1xHCS8VSgKzynjfz5E5yuFXsJO8VT9vT
1R1SutyAPCA=
=CvS6
-----END PGP SIGNATURE-----