Red Hat Security Advisory 2021-3361-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a memory exhaustion vulnerability.
fa8792e889cba4980e5e69cc42c59e3108310c2072dfb34fffb0c3a8644d9099
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Migration Toolkit for Containers (MTC) 1.5.1 security and bug fix update
Advisory ID: RHSA-2021:3361-01
Product: Red Hat Migration Toolkit
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3361
Issue date: 2021-08-31
CVE Names: CVE-2021-3114 CVE-2021-3121 CVE-2021-3516
CVE-2021-3517 CVE-2021-3518 CVE-2021-3520
CVE-2021-3537 CVE-2021-3541 CVE-2021-3609
CVE-2021-3636 CVE-2021-20271 CVE-2021-21419
CVE-2021-21623 CVE-2021-21639 CVE-2021-21640
CVE-2021-21648 CVE-2021-22543 CVE-2021-22555
CVE-2021-22918 CVE-2021-25735 CVE-2021-25737
CVE-2021-27218 CVE-2021-33195 CVE-2021-33196
CVE-2021-33197 CVE-2021-33198 CVE-2021-34558
=====================================================================
1. Summary:
An update is now available for the Migration Toolkit for Containers (MTC)
1.5.1.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.
Security fixes:
* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)
* golang: archive/zip: malformed archive may cause panic or memory
exhaustion (CVE-2021-33196)
* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)
* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For details on how to install and use MTC, refer to:
https://docs.openshift.com/container-platform/4.8/migration-toolkit-for-con
tainers/installing-mtc.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1965503 - CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memory exhaustion
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1996125 - When "None" is selected as the target storage class in the web console, the setting is ignored and the default storage class is used
5. References:
https://access.redhat.com/security/cve/CVE-2021-3114
https://access.redhat.com/security/cve/CVE-2021-3121
https://access.redhat.com/security/cve/CVE-2021-3516
https://access.redhat.com/security/cve/CVE-2021-3517
https://access.redhat.com/security/cve/CVE-2021-3518
https://access.redhat.com/security/cve/CVE-2021-3520
https://access.redhat.com/security/cve/CVE-2021-3537
https://access.redhat.com/security/cve/CVE-2021-3541
https://access.redhat.com/security/cve/CVE-2021-3609
https://access.redhat.com/security/cve/CVE-2021-3636
https://access.redhat.com/security/cve/CVE-2021-20271
https://access.redhat.com/security/cve/CVE-2021-21419
https://access.redhat.com/security/cve/CVE-2021-21623
https://access.redhat.com/security/cve/CVE-2021-21639
https://access.redhat.com/security/cve/CVE-2021-21640
https://access.redhat.com/security/cve/CVE-2021-21648
https://access.redhat.com/security/cve/CVE-2021-22543
https://access.redhat.com/security/cve/CVE-2021-22555
https://access.redhat.com/security/cve/CVE-2021-22918
https://access.redhat.com/security/cve/CVE-2021-25735
https://access.redhat.com/security/cve/CVE-2021-25737
https://access.redhat.com/security/cve/CVE-2021-27218
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33196
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYS3kjtzjgjWX9erEAQgl5Q//an23DVsAMO6BG0gVH2sjX0xVXmHfQv3N
9IcJ5qlizvL+RY9GQ2fTL2OKg5mBfNIXsN+5R2O4Km2M+Y/XlBSsfKmC219/dAB6
Jswi0bBYdX/P/XmF3Cj7g3bHpgLfQT0V/rHezfE1lfCtpDkQp6kcyp0XT3uh+EgG
TEgc1pIl+Gk0Em/qGBgx/4xysaPfm9L2CVCHiuBJRcWHagRbjUCB8f6IqQblrzcb
fz/oz0/4oO5/ezBkerkuk9PH2qEQ3EakF+TLHgsNo1aDgt3iGJxfVSTqERXpuB8I
c2FsN66UVm8ElZcft23YiKsEgTHhYoFDVQ6NX95SdvPN6U2soK7XAYHoBxCbw9b9
9Zh+fQDS7x/ZX03S8AB5ymrdSAY28e4Obe8EZTn8Jf1sED8Kk/wodEKt5t5Jh3Ae
lDae94qHq2RdlRrRreRPr1CrIRf5IoqXQCKQoei/QCIZvsslIB6F1vDEgj9JRMI4
HPzrIqzB4PQhOd45vamAC+bkAMqdTCxK48M90CQSu7Gd9EEfzAbkYa5B3LGYWeOX
NVg/gGJotQVR8KCVLDbC1zZ7TDsJ81R/p+m59JDePQl1I5y44Ti9lSmmELAmAy+l
5fAR7auEha8qJgpQUenXdvcF3DAnaBBgKMtcGJfzc7RZNtciHa3AzESIyPEL35Z3
MHQhvRoUNC4=
=Hvey
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce