RedHat: RHSA-2023-2041:01 Important: Migration Toolkit for Applications
Summary
Migration Toolkit for Applications 6.1.0 Images
Security Fix(es):
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* spring-security-oauth2-client: Privilege Escalation in
spring-security-oauth2-client (CVE-2022-31690)
* xstream: Denial of Service by injecting recursive collections or maps
based on element's hash values raising a stack overflow (CVE-2022-41966)
* Apache CXF: SSRF Vulnerability (CVE-2022-46364)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2021-4235 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-2879 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-2995 https://access.redhat.com/security/cve/CVE-2022-3162 https://access.redhat.com/security/cve/CVE-2022-3172 https://access.redhat.com/security/cve/CVE-2022-3259 https://access.redhat.com/security/cve/CVE-2022-3466 https://access.redhat.com/security/cve/CVE-2022-3782 https://access.redhat.com/security/cve/CVE-2022-4304 https://access.redhat.com/security/cve/CVE-2022-4450 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-31690 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/cve/CVE-2022-32189 https://access.redhat.com/security/cve/CVE-2022-32190 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2022-41966 https://access.redhat.com/security/cve/CVE-2022-46364 https://access.redhat.com/security/cve/CVE-2023-0215 https://access.redhat.com/security/cve/CVE-2023-0286 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-0767 https://access.redhat.com/security/cve/CVE-2023-23916 https://access.redhat.com/security/updates/classification/#important
Package List
Topic
Migration Toolkit for Applications 6.1.0 releaseRed Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
2162200 - CVE-2022-31690 spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
5. JIRA issues fixed (https://issues.redhat.com/):
MTA-118 - Automated tagging of resources with Windup
MTA-123 - MTA crashes cluster nodes when running bulk binary analysis due to requests and limits not being configurable
MTA-129 - User field in Manage Import is empty
MTA-160 - [Upstream] Maven Repositories "No QueryClient set, use QueryClientProvider to set one"
MTA-204 - Every http request made to tagtypes returns HTTP Status 404
MTA-256 - Update application import template
MTA-260 - [Regression] Application import through OOTB import template fails
MTA-261 - [Regression] UI incorrectly reports target applications have in-progress/complete assessment
MTA-263 - [Regression] Discard assessment option present even when assessment is not complete
MTA-267 - Analysis EAP targets should include eap8
MTA-268 - RFE: Automated Tagging details to add on Review analysis details page
MTA-279 - All types of Source analysis is failing in MTA 6.1.0
MTA-28 - Success Alert is not displayed when subsequent analysis are submitted
MTA-282 - Discarding review results in 404 error
MTA-283 - Sorting broken on Application inventory page
MTA-284 - HTML reports download with no files in reports and stats foldersMTA-29 - Asterisk on Description while creating a credentials should be removed
MTA-297 - [Custom migration targets] Cannot upload JPG file as an icon
MTA-298 - [Custom migration targets] Unclear error when uploading image greater than 1Mb of size
MTA-299 - [RFE][Custom migration targets] Assign an icon: Add image max size in the note under the image name
MTA-300 - [Custom rules] Cannot upload more than one rules file
MTA-303 - [UI][Custom migration targets] The word "Please" should be removed from the error message about existing custom target name
MTA-304 - [Custom rules] Failed analysis when retrieving custom rules files from a repository
MTA-306 - MTA allows the uploading of multiple binaries for analysis
MTA-311 - MTA operator fails to reconcile on a clean (non-upgrade) install
MTA-314 - PVCs may not provision if storageClassName is not set.
MTA-330 - With auth disabled, 'username' seen in the persona dropdown
MTA-332 - Tagging: Few Tags are highlighted with color
MTA-34 - Cannot filter by Business Service when copying assessments
MTA-345 - [Custom migration targets] Error message "imageID must be defined" is displayed when uploading image
MTA-35 - Only the first notification is displayed when discarding multiple copied assessments
MTA-350 - Maven Central links from the dependencies tab in reports seem to be broken
MTA-351 - AspectJ is not identified as an Open Source Library
MTA-356 - The inventory view has to be refreshed for the tags that were assigned by an analysis to appear
MTA-363 - [UI][Custom migration targets] "Repository type" field name is missing
MTA-364 - [Custom migration targets] Unknown image file when editing a custom migration target
MTA-366 - Tagging: For no tags attached "filter by" can be improved
MTA-367 - [Custom migration targets] Cannot use a custom migration target in analysis
MTA-369 - Custom migration targets: HTML elements are duplicated
MTA-375 - Run button does not execute the analysis
MTA-377 - [UI][Custom rules] Custom rules screen of the analysis configuration wizard is always marked as required
MTA-378 - [UI][Custom rules] Info message on the Custom rules screen is not updated
MTA-38 - Only the first notification is displayed when multiple files are imported.
MTA-381 - Custom Rules: When try to update Add rules the Error alert is displayed
MTA-382 - Custom Rules: Sometimes able to upload duplicate rules files
MTA-388 - CSV reports download empty when enabling the option after an analysis
MTA-389 - [Custom rules in Analysis] Failed analysis when retrieving custom rules files from a private repository
MTA-391 - [Custom rules in Analysis] Targets from uploaded rules file are not removed once the file is removed
MTA-392 - Unable to see all custom migration targets when using a vertical monitor
MTA-41 - [UI] Failed to refresh token if Keycloak feature "Use Refresh Tokens" is off
MTA-412 - Display alert message before reviewing an already reviewed application
MTA-428 - [Custom Rules] MTA analysis custom rules conflict message
MTA-430 - Analysis wizard: Next button should be enabled only after at least one target is selected
MTA-438 - Tagging: Retrieving tags needs a loading indicator
MTA-439 - [Regression][Custom rules] Failed to run analysis with custom rules from a repository
MTA-443 - Custom rules: Add button can be disabled until duplicate rule file is removed
MTA-50 - RFE: Replace the MTA acronym in the title with "Migration Toolkit for Applications"
MTA-51 - RFE: " Select the list of packages to be analyzed manually" to modify the title
MTA-52 - [RFE] We can change "Not associated artifact" to "No associated artifact"
MTA-55 - Can't choose a custom rule via a file explorer(mac OS finder) in Tackle 2.0
MTA-78 - CVE-2022-46364 org.keycloak-keycloak-parent: Apache CXF: SSRF Vulnerability [mta-6.0]
MTA-99 - Unable to use root path during checking for maven dependencies