Release Notes

CVE-2024-30255: mta-hub-container envoy: HTTP/2 CPU exhaustion due to CONTINUATION frame flood

A flaw was found in how the Envoy proxy implements the HTTP/2 protocol stack, which impacts earlier versions of MTA. There are insufficient limitations placed on the number of CONTINUATION frames that can be sent within a single stream. If an unauthenticated remote attacker sends messages to vulnerable servers, this could cause issues by using up resources and causing a denial of service (DoS). Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-29180: webpack-dev-middleware lack of URL validation may lead to file leak

A flaw was found in the webpack-dev-middleware package, which impacts earlier versions of MTA, where it failed to validate the supplied URL address sufficiently before returning local files. This flaw allows an attacker to craft URLs to return arbitrary local files from the developer’s machine. The lack of normalization before calling the middleware also allows the attacker to perform path traversal attacks on the target environment. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-28849: follow-redirects package clears authorization headers

A flaw was found in the follow-redirects package that clears authorization headers, but it fails to clear the proxy-authentication headers. This flaw impacts earlier versions of MTA. It could lead to credential leakage, which could have a high impact on data confidentiality. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-27316: HTTP-2: httpd: CONTINUATION frames

A flaw was found in how Apache httpd implements the HTTP/2 protocol, which impacts earlier versions of MTA. This flaw means that there are insufficient limitations placed on the number of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up memory resources and lead to a denial of service (DoS) attack. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2023-45288: Golang net/http, x/net/http2: unlimited number of CONTINUATION frames can cause a denial-of-service (DoS) attack

A flaw was found in the implementation of the HTTP/2 protocol in the Go programming language, which impacts previous versions of MTA. There were insufficient limitations on the number of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a denial-of-service (DoS) attack. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2023-45857: Axios 1.5 exposes confidential data stored in cookies

A flaw was discovered in Axios 1.5.1 that accidentally revealed the confidential XSRF-TOKEN, stored in cookies, by including it in the HTTP header X-XSRF-TOKEN for every request made to any host, thereby allowing attackers to view sensitive information. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-25710: Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file

A flaw was found in Apache Commons Compress versions 1.3 through 1.25.0. The flaw allows for an infinite loop, posing potential danger by causing denial of service (DoS) and impacting availability. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-26308: Allocation of resources without limits or throttling vulnerability in Apache Commons Compress

A flaw was found in Apache Commons Compress versions. The flaw, known as Allocation of Resources Without Limits or Throttling, allows for the exploitation of resources without any limits or throttling. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-1300: `io.vertx:vertx-core`memory leak when a TCP server is configured with TLS and SNI support

A flaw was found in the Eclipse`Vert.x` toolkit. This flaw can cause a memory leak on TCP servers configured with TLS and SNI support and could allow attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory (OOM) error. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-1132: org.keycloak-keycloak-parent: keycloak path transversal in redirection validation

A flaw was discovered in Keycloak, where it does not properly validate URLs included in a redirect. This flaw could allow an attacker to construct a malicious request to bypass validation, and access other URLs and sensitive information within the domain or conduct further attacks. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-1023: Memory leak vulnerability in the Eclipse Vert.x Toolkit with Netty FastThreadLocal data structures

A flaw was found in the Eclipse`Vert.x` toolkit. This flaw can result in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, this can trigger a memory leak. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2023-26159: follow-redirects improper input validation due to the improper handling of URLs by the url.parse()

A flaw was found in the follow-redirects package. This flaw is caused by the improper handling of URLs by the url.parse() function. When new URL() returns an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2023-26364: css-tools improper input validation causes denial of service

A flaw was found in @adobe/css-tools, which could potentially lead to a minor denial of service (DoS) when parsing CSS. User interaction and privileges are not required to jeopardize an environment. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2023-48631: css-tools: regular expression denial of service

A flaw was found in @adobe/css-tools, which could lead to a regular expression denial of service (ReDoS) when attempting to parse CSS. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2022-45693: Vulnerability in Jettison 

Versions of Jettison before v1.5.2 are vulnerable to a Denial of Service (DoS) caused by a stack-based buffer overflow. By sending a specially crafted request using the map parameter, a remote attacker could exploit this vulnerability to cause a DoS attack. This issue has been resolved in MTA version 6.2.2.

CVE-2023-29406: HTTP/1 client does not fully validate the contents of the Host header

Versions of Golang before 1.19.11 are vulnerable to HTTP header injection, caused by improper contents validation of Host header by the HTTP/1 client. A maliciously crafted Host header can inject additional headers or entire requests. In version 1.19.11 Golang, and later, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. This issue has been resolved in MTA version 6.2.2.

CVE-2023-29409: Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. A Denial of Service (DoS) vulnerability was found in the Golang Go package, caused by an uncontrolled resource consumption flaw. By persuading a victim to use a specially crafted certificate with large RSA keys, a remote attacker can cause a client/server to expend significant CPU time verifying signatures, resulting in a denial of service condition. This issue has been resolved in MTA version 6.2.2.

CVE-2022-1962: Uncontrolled recursion in the Parse functions in go/parser

In versions of Golang, before 1.17.12 and 1.18.4, a flaw was found in the standard library go/parser, uncontrolled recursion could allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. This issue has been resolved in MTA version 6.2.2.

CVE-2023-26159: Improper handling of URLs by the url.parse() function

In versions of the follow-redirects package before 1.15.4, there is a vulnerability to Improper Input Validation. This flaw is caused by the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, and could lead to information disclosure, phishing attacks, or other security breaches. This issue has been resolved in MTA version 6.2.2.

CVE-2022-46751: Improper Restriction of XML External Entity Reference, XML Injection vulnerability in Apache Ivy

In version of Apache Ivy before 2.5.2, parsing XML files, either its configuration, Ivy files or Apache Maven POMs, it allows downloading external document type definitions and expand any entity references contained. This process can be used to exfiltrate data, access resources only the machine running Ivy has access to, or disturb the execution of Ivy in different ways. This issue has been resolved in MTA version 6.2.2.

CVE-2023-2976: Java’s default temporary directory for file creation in FileBackedOutputStream

Version of Google Guava versions 1.0 to 31.1 could allow a local authenticated attacker to obtain sensitive information. This is caused by a flaw with using Java’s default temporary directory for file creation in FileBackedOutputStream. Using Java’s default temporary directory for file creation in FileBackedOutputStream on Unix systems, could allow other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. This issue has been resolved in MTA version 6.2.2.

CVE-2023-35116:  Versions of jackson-databind before 2.15.2 could allow attackers to cause a denial of service or other unspecified impact (disputed)

Versions of jackson-databind before 2.15.2 could allow attackers to cause a denial of service or other unspecified impact. The vendor believes that this is not a valid vulnerability because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker. This issue has been resolved in MTA version 6.2.2.

CVE-2023-1436:  An infinite recursion is triggered in Jettison when constructing a JSONArray

An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being returned.  This issue has been resolved in MTA version 6.2.2.

CVE-2024-25710: Denial of service caused by an infinite loop

Loop with Unreachable Exit Condition, Infinite Loop, vulnerability in Apache Commons Compress. This vulnerability affects Apache Commons Compress, versions 1.3 to 1.25.0, and can lead to a Denial of Service (DoS).

CVE-2023-6291: Keycloak redirect_uri validation bypass

An issue was found in the redirect_uri validation logic in Keycloak that allows for a bypass of otherwise explicitly allowed hosts. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

CVE-2024-1300: Eclipse Vert.x memory leak when a TCP server is configured with TLS and SNI support

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with Transport Layer Security (TLS) and Server Name Indication (SNI) support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the Secure Sockets Layer (SSL) context is mistakenly cached in the server name map, leading to memory exhaustion. This issue could allow attackers to send TLS client hello messages with fake server names, triggering a Java virtual machine (JVM) Out-of-Memory (OOM) error.

CVE-2023-45286

A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same \*bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that has not had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

CVE-2023-48631: Adobe’s css-tools versions 4.3.1 and earlier are affected by an Improper Input Validation vulnerability

A Regular Expression Denial of Service (ReDoS) vulnerability was found in Adobe’s css-tools when parsing CSS. This issue occurs due to improper input validation and may allow an attacker to use a carefully crafted input string to cause a denial of service, when attempting to parse CSS.

CVE-2023-36479: Improper addition of quotation marks to user inputs in CgiServlet

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a specific command structure may have the wrong command executed. If a user sends a request to an org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.

CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. In previous releases of MTA, the HTTP/2 protocol allowed a denial of service (server resource consumption) because request cancellation could reset multiple streams quickly. The server had to set up and tear down the streams while not hitting any server-side limit for the maximum number of active streams per connection, which resulted in a denial of service due to server resource consumption.

CVE-2023-39325: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack in the Go language packages)

The HTTP/2 protocol is susceptible to a denial of service attack because request cancellation can reset multiple streams quickly. The server has to set up and tear down the streams while not hitting any server-side limit for the maximum number of active streams per connection. This results in a denial of service due to server resource consumption.

Integration with JIRA

The integration of Migration Toolkit for Applications with Jira allows you to track and manage the whole migration process. To introduce changes to the applications in the portfolio, you can create issues in Jira and assign them to developers.

Migration Waves management

A migration wave is a small collection of workloads that deliver business value. MTA’s Migration Wave groups applications to be migrated on a specified schedule.

OpenShift Monitoring integration

MTA integrates with OpenShift Monitoring, which allows users to consume metrics from their MTA installation.

CVE-2023-44487: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

A flaw has been found in handling multiplexed streams in the HTTP/2 protocol. The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can be reset multiple streams quickly. The server has to set up and tear down the streams while not hitting any server-side limit for the maximum number of active streams per connection, which resulted in a denial of service due to server resource consumption.

CVE-2023-39325: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack in the Go language packages)

The HTTP/2 protocol is susceptible to a denial of service attack because request cancellation can reset multiple streams quickly. The server has to set up and tear down the streams while not hitting any server-side limit for the maximum number of active streams per connection. This results in a denial of service due to server resource consumption.

Re-enabling Keycloak breaks MTA

Keycloak is enabled by default. If you disable and then re-enable Keycloak, you cannot perform any actions in the MTA web console after logging in again.

Analysis fails when fetching rules from a repository with a folder that contains spaces in its name

When fetching custom rules from a repository during an analysis, if the Root path field contains spaces, the mta-cli command is not properly composed and the analysis fails. MTA-458

Update notifications are disabled for Application, Job functions, and Business services

Update notifications are disabled for Application, Job function and Business services, as a result, no notifications are displayed. MTA-1024

Repository type field is not required

The Repository type field is not required when saving the configuring rules files from a repository in analysis. MTA-1047

False 'not connected' status for new Jira instance

When creating a new Jira instance, the connection status is initially shown as Not connected before it moves to Connected, and this delay could cause the user to think that the provided credentials are incorrect. MTA-1019

Analysis wizard

The release of MTA 6.2.0 resolves the issue that Analysis wizard was stuck on the custom rules page on moving Back from the Repository tab. For more information on this issue, see MTA-464.

Tags & Reports tabs

The release of MTA 6.2.0 resolves the issue that an analysis was running for an application, and after clicking on that application to see the Tags and Reports, both the tabs keep loading until the analysis finished. For more information on this issue, see MTA-465.