Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

   Migration Toolkit for Containers (MTC) 1.6.0 security & bugfix update
                             30 September 2021


        AusCERT Security Bulletin Summary

Product:           Migration Toolkit for Containers (MTC)
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-3749  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA256

                   Red Hat Security Advisory

Synopsis:          Moderate: Migration Toolkit for Containers (MTC) 1.6.0 security & bugfix update
Advisory ID:       RHSA-2021:3694-01
Product:           Red Hat Migration Toolkit
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3694
Issue date:        2021-09-29
CVE Names:         CVE-2021-3749 CVE-2021-22922 CVE-2021-22923 
                   CVE-2021-22924 CVE-2021-36222 CVE-2021-37576 
                   CVE-2021-37750 CVE-2021-38201 

1. Summary:

The Migration Toolkit for Containers (MTC) 1.6.0 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security fixes:

* nodejs-axios: Regular expression denial of service in trim function

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to install and use MTC, refer to:


4. Bugs fixed (https://bugzilla.redhat.com/):

1878824 - Web console is not accessible when deployed on OpenShift cluster on IBM Cloud
1887526 - "Stage" pods fail when migrating from classic OpenShift source cluster on IBM Cloud with block storage
1899562 - MigMigration custom resource does not display an error message when a migration fails because of volume mount error
1936886 - Service account token of existing remote cluster cannot be updated by using the web console
1936894 - "Ready" status of MigHook and MigPlan custom resources is not synchronized automatically
1949117 - "Migration plan resources" page displays a permanent error message when a migration plan is deleted from the backend
1951869 - MigPlan custom resource does not detect invalid source cluster reference
1968621 - Paused deployment config causes a migration to hang
1970338 - Parallel migrations fail because the initial backup is missing
1974737 - Migration plan name length in the "Migration plan" wizard is not validated
1975369 - "Debug view" link text on "Migration plans" page can be improved
1975372 - Destination namespace in MigPlan custom resource is not validated
1976895 - Namespace mapping cannot be changed using the Migration Plan wizard
1981810 - "Excluded" resources are not excluded from the migration
1982026 - Direct image migration fails if the source URI contains a double slash ("//")
1994985 - Web console crashes when a MigPlan custom resource is created with an empty namespaces list
1996169 - When "None" is selected as the target storage class in the web console, the setting is ignored and the default storage class is used
1996627 - MigPlan custom resource displays a "PvUsageAnalysisFailed" warning after a successful PVC migration
1996784 - "Migration resources" tree on the "Migration details" page is not displayed
1996902 - "Select all" checkbox on the "Namespaces" page of the "Migration plan" wizard remains selected after a namespace is unselected
1996904 - "Migration" dialogs on the "Migration plans" page display inconsistent capitalization
1996906 - "Migration details" page link is displayed for a migration plan with no associated migrations
1996938 - Search function on "Migration plans" page displays no results
1997051 - Indirect migration from MTC 1.5.1 to 1.6.0 fails during "StageBackup" phase
1997127 - Direct volume migration "retry" feature does not work correctly after a network failure
1997173 - Migration of custom resource definitions to OpenShift Container Platform 4.9 fails because of API version incompatibility
1997180 - "migration-log-reader" pod does not log invalid Rsync options
1997665 - Selected PVCs in the "State migration" dialog are reset because of background polling
1997694 - "Update operator" link on the "Clusters" page is incorrect
1997827 - "Migration plan" wizard displays PVC names incorrectly formatted after running state migration
1998062 - Rsync pod uses upstream image
1998283 - "Migration step details" link on the "Migrations" page does not work
1998550 - "Migration plan" wizard does not support certain screen resolutions
1998581 - "Migration details" link on "Migration plans" page displays "latestIsFailed" error
1999113 - "oc describe" and "oc log" commands on "Migration resources" tree cannot be copied after failed migration
1999381 - MigPlan custom resource displays "Stage completed with warnings" status after successful migration
1999528 - Position of the "Add migration plan" button is different from the other "Add" buttons
1999765 - "Migrate" button on "State migration" dialog is enabled when no PVCs are selected
1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function
2000205 - "Options" menu on the "Migration details" page displays incorrect items
2000218 - Validation incorrectly blocks namespace mapping if a source cluster namespace is the same as the destination namespace
2000243 - "Migration plan" wizard does not allow a migration within the same cluster
2000644 - Invalid migration plan causes "controller" pod to crash
2000875 - State migration status on "Migrations" page displays "Stage succeeded" message
2000979 - "clusterIPs" parameter of "service" object can cause Velero errors
2001089 - Direct volume migration fails because of missing CA path configuration
2001173 - Migration plan requires two clusters
2001786 - Migration fails during "Stage Backup" step because volume path on host not found
2001829 - Migration does not complete when the namespace contains a cron job with a PVC
2001941 - Fixing PVC conflicts in state migration plan using the web console causes the migration to run twice
2002420 - "Stage" pod not created for completed application pod, causing the "mig-controller" to stall
2002608 - Migration of unmounted PVC fails during "StageBackup" phase
2002897 - Rollback migration does not complete when the namespace contains a cron job
2003603 - "View logs" dialog displays the "--selector" option, which does not print all logs
2004601 - Migration plan status on "Migration plans" page is "Ready" after migration completed with warnings
2004923 - Web console displays "New operator version available" notification for incorrect operator
2005143 - Combining Rsync and Stunnel in a single pod can degrade performance
2006316 - Web console cannot create migration plan in a proxy environment
2007175 - Web console cannot be launched in a proxy environment

5. JIRA issues fixed (https://issues.jboss.org/):

MIG-785 - Search for "Crane" in the Operator Hub should display the Migration Toolkit for Containers

6. References:


7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
Version: GnuPG v1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967