Chapter 6. MTA 6.1.0

Creating custom migration targets

Administrators and architects can create and maintain custom migration targets and populate them with custom rules from a repository. Such custom migration targets are available for use by non-admin users. This simplifies the process of analysis configuration for applications with similar technologies that are common across the entire application portfolio of an organization.

Automated tagging of resources

MTA uses the technology stack information that the analysis module collects during an analysis to generate tags and to attach them automatically to applications.

Downloading HTML and CSV analysis reports

Users can download HTML and CSV reports generated by application analysis. By default, this option is disabled; it can be enabled in the new General menu in Administration view.

Reviewing an application without an assessment

Architects can review applications without running assessments first. By default, this option is disabled; it can be enabled in the new General menu in Administration view.

Support for disconnected installation

MTA fully supports disconnected installation in air-gapped OpenShift Container Platform environments.

Changes in naming

Some entities and menu entries of the MTA user interface have been renamed for clarity. The Administrator and Developer views have been renamed to Administration and Migration, respectively. Tag Types are now named Tag Categories.

CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

A flaw was found in the handling of multiplexed streams in the HTTP/2 protocol, which is utilized by Migration Toolkit for Applications (MTA). A client could repeatedly make a request for a new multiplex stream then immediately send an RST_STREAM frame to cancel those requests. This activity created additional workloads for the server in terms of setting up and dismantling streams, but avoided any server-side limitations on the maximum number of active streams per connection. As a result, a denial of service occurred due to server resource consumption.

CVE-2023-39325: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack in the Go language packages)

The HTTP/2 protocol is susceptible to a denial of service attack because request cancellation can reset multiple streams quickly. The server has to set up and tear down the streams while not hitting any server-side limit for the maximum number of active streams per connection. This results in a denial of service due to server resource consumption.

Application analysis fails if the name of custom rules directory has spaces

During the configuration of an application analysis, if the user fetches custom rules from a repository using the CLI and the root path contains spaces, the CLI command is not properly composed and the analysis fails. The user must make sure that there are no spaces in the name of the directory from which custom rules are taken.