Operating System:

[RedHat]

Published:

19 April 2024

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2024.2442 

===========================================================================
             AUSCERT External Security Bulletin Redistribution             
                                                                           
                               ESB-2024.2442                               
  Migration Toolkit for Runtimes security, bug fix and enhancement update  
                               19 April 2024                               
                                                                           
===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Migration Toolkit for Runtimes                          
Publisher:         Red Hat                                                 
Operating System:  Red Hat                                                 
Resolution:        Patch/Upgrade                                           
CVE Names:         CVE-2024-26308 CVE-2024-1300                            

Original Bulletin:
   https://access.redhat.com/errata/RHSA-2024:1923

Comment: CVSS (Max):  5.9 CVE-2024-26308 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Red Hat                                              
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H


- --------------------------BEGIN INCLUDED TEXT--------------------

=====================================================================
                Red Hat Security Advisory

Synopsis:          Moderate: Migration Toolkit for Runtimes
                   security, bug fix and enhancement update
Advisory ID:       RHSA-2024:1923
Product:           Migration Toolkit for Runtimes 1 on RHEL 8
Advisory URL:      https://access.redhat.com/errata/RHSA-2024:1923
Issue date:        2024-04-18
CVE Names:         CVE-2024-1300 CVE-2024-26308
=====================================================================

1. Summary:

Migration Toolkit for Runtimes 1.2.5 release

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

2. Relevant releases/architectures:

Migration Toolkit for Runtimes 1 on RHEL 8 - s390x, ppc64le, arm64, amd64 

3. Description:

Migration Toolkit for Runtimes 1.2.5 Images

Security Fix(es):

* vertx-core: memory leak when a TCP server is configured with TLS and SNI
support (CVE-2024-1300)

* commons-compress: OutOfMemoryError unpacking broken Pack200 file
(CVE-2024-26308)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

4. Solution:

Install the latest version of the Migration Toolkit for Runtimes from the Red
Hat catalog in the OperatorHub page within your OpenShift instance.

5. Bugs fixed (https://bugzilla.redhat.com/):

2263139 - CVE-2024-1300 - io.vertx:vertx-core: memory leak when a TCP server is
configured with TLS and SNI support
2264989 - CVE-2024-26308 - commons-compress: OutOfMemoryError unpacking broken
Pack200 file

6. Package List:

Migration Toolkit for Runtimes 1 on RHEL 8

8Base-MTR-1:mtr/mtr-operator-bundle@sha256:6818c3c795716c2cdb80050e705be0198aed6
fef11d63fd28eeb8c21bf5fcb25_amd64:
mtr/mtr-operator-bundle@sha256:6818c3c795716c2cdb80050e705be0198aed6fef11d63fd28
eeb8c21bf5fcb25_amd64.rpm

8Base-MTR-1:mtr/mtr-operator-bundle@sha256:8f983034ba9454f79cc57f7a2d85dc5022263
8f576b454a1c8e9cd557665aaf3_arm64:
mtr/mtr-operator-bundle@sha256:8f983034ba9454f79cc57f7a2d85dc50222638f576b454a1c
8e9cd557665aaf3_arm64.rpm

8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d12e0dacb99d6efa4cce47fe89f27eb6ebb3c
64308d5b742d81b55fced08f63b_s390x:
mtr/mtr-operator-bundle@sha256:d12e0dacb99d6efa4cce47fe89f27eb6ebb3c64308d5b742d
81b55fced08f63b_s390x.rpm

8Base-MTR-1:mtr/mtr-operator-bundle@sha256:da17b288e5503ff99d747b07062368879799b
661e4a7a6354c7162da7427ea7c_ppc64le:
mtr/mtr-operator-bundle@sha256:da17b288e5503ff99d747b07062368879799b661e4a7a6354
c7162da7427ea7c_ppc64le.rpm

8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:3f19f1908b9e44ecebebe2c2fcd30f17632f28
07275da0b766aeff9f44b88152_arm64:
mtr/mtr-rhel8-operator@sha256:3f19f1908b9e44ecebebe2c2fcd30f17632f2807275da0b766
aeff9f44b88152_arm64.rpm

8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:5e7df9c2c211b4a3230638efc87735fc702b01
d42737eff48128150f02a6f204_ppc64le:
mtr/mtr-rhel8-operator@sha256:5e7df9c2c211b4a3230638efc87735fc702b01d42737eff481
28150f02a6f204_ppc64le.rpm

8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:92b03b5cccbdbf5394b4ea7a8521395d1b7fdc
b1de4569dafe646f00c1c10d4c_s390x:
mtr/mtr-rhel8-operator@sha256:92b03b5cccbdbf5394b4ea7a8521395d1b7fdcb1de4569dafe
646f00c1c10d4c_s390x.rpm

8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:a3d0772c5ebda63371edf4f53b78f053bd9035
498304e9f2091a0b76c6c26153_amd64:
mtr/mtr-rhel8-operator@sha256:a3d0772c5ebda63371edf4f53b78f053bd9035498304e9f209
1a0b76c6c26153_amd64.rpm

8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:6eb6177323899560f965b9b142335be85
77bcd1330d86185545d25dfa97796ca_amd64:
mtr/mtr-web-container-rhel8@sha256:6eb6177323899560f965b9b142335be8577bcd1330d86
185545d25dfa97796ca_amd64.rpm

8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:86c57b36f6224c54305f7833c1452b9d3
fe276f09b295978f8e95bc258593599_ppc64le:
mtr/mtr-web-container-rhel8@sha256:86c57b36f6224c54305f7833c1452b9d3fe276f09b295
978f8e95bc258593599_ppc64le.rpm

8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:9052080bb46a5009e1497a198618b7631
1c6eefd386810da38d5d04ea05606c4_s390x:
mtr/mtr-web-container-rhel8@sha256:9052080bb46a5009e1497a198618b76311c6eefd38681
0da38d5d04ea05606c4_s390x.rpm

8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:1b09f65401896e35e4ad5bc4
979baafb0600f83630ee97173033195f030271db_s390x:
mtr/mtr-web-executor-container-rhel8@sha256:1b09f65401896e35e4ad5bc4979baafb0600
f83630ee97173033195f030271db_s390x.rpm

8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:b1076f9d028b653ff74926f0
9abb291395a0eb5d13c7e1522bc199fed9f68646_amd64:
mtr/mtr-web-executor-container-rhel8@sha256:b1076f9d028b653ff74926f09abb291395a0
eb5d13c7e1522bc199fed9f68646_amd64.rpm

8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:b604d2e9dd393d52ba64cb39
eec10cfab62d60a0b142df967de57734c87ff310_arm64:
mtr/mtr-web-executor-container-rhel8@sha256:b604d2e9dd393d52ba64cb39eec10cfab62d
60a0b142df967de57734c87ff310_arm64.rpm

8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:f9607ef871579e739205639e
31d22aad24dd777f0ae0959e9cf3a064d3d27ead_ppc64le:
mtr/mtr-web-executor-container-rhel8@sha256:f9607ef871579e739205639e31d22aad24dd
777f0ae0959e9cf3a064d3d27ead_ppc64le.rpm

7. References:

https://access.redhat.com/security/cve/CVE-2024-1300
https://access.redhat.com/security/cve/CVE-2024-26308
https://access.redhat.com/security/updates/classification/#moderate

- --------------------------END INCLUDED TEXT----------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================