Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 2. MTA 7-0-3
2.1. Known issues
This section provides highlighted known issues in Migration Toolkit for Applications (MTA) version 7.0.3:
The Applications
page loads slowly when there are many applications
When the Application Inventory has to list many applications, the page loads slowly. Currently, there is no workaround available. (MTA-2497)
Failure to run analysis on a directory of multiple applications
MTA 7.0.2 and 7.0.3 fail to run analysis on a directory of multiple applications. The cause of this failure is that the analyzer is expecting a pom.xml
file in the root directory. (MTA-2765)
For a complete list of all known issues in this release, see the list of Known Issues in Jira.
2.1.1. CLI known issues
Limitations with Podman on Microsoft Windows
The CLI is built and distributed with support for Microsoft Windows.
However, when running any container image based on Red Hat Enterprise Linux 9 (RHEL9) or Universal Base Image 9 (UBI9), the following error can be returned when starting the container:
Fatal glibc error: CPU does not support x86-64-v2
This error is caused because Red Hat Enterprise Linux 9 or Universal Base Image 9 container images must be run on a CPU architecture that supports x86-64-v2
.
For more details, see (Running Red Hat Enterprise Linux 9 (RHEL) or Universal Base Image (UBI) 9 container images fail with "Fatal glibc error: CPU does not support x86-64-v2").
CLI runs the container runtime correctly. However, different container runtime configurations are not supported.
Although unsupported, you can run CLI with Docker instead of Podman, which would resolve this issue.
To achieve this, you replace the PODMAN_BIN
path with the path to Docker.
For example, if you experience this issue, instead of issuing:
PODMAN_BIN=/usr/local/bin/docker mta-cli analyze
You replace PODMAN_BIN
with the path to Docker:
<Docker Root Dir>=/usr/local/bin/docker mta-cli analyze
While this is not supported, it would allow you to explore CLI while you work to upgrade your hardware or move to hardware that supports x86_64-v2
.
2.2. Resolved issues
This section provides highlighted issues that have been resolved in Migration Toolkit for Applications (MTA) version 7.0.3.
CVE-2024-29180: A flaw was found in the webpack-dev-middleware
package, where it failed to validate the supplied URL address sufficiently
A flaw was found in versions of the webpack-dev-middleware
package before versions 7.1.0 and 6.1.2, in which it failed to validate the supplied URL address sufficiently before returning local files. This flaw allowed an attacker to craft URLs to return arbitrary local files from the developer’s machine. The lack of normalization before calling the middleware also allowed the attacker to perform path traversal attacks on the target environment.
For more details, see (CVE-2024-29180).
CVE-2023-45288: Golang: net/http, x/net/http2
: unlimited number of CONTINUATION frames can cause a denial-of-service (DoS) attack
A flaw was discovered with the implementation of the HTTP/2
protocol in the Go programming language. There were insufficient limitations on the number of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a denial-of-service (DoS) attack.
For more details, see (CVE-2023-45288).
CVE-2023-45857: Axios flaw can expose confidential data stored in cookies
A flaw was found in Axios that may expose the confidential XSRF-TOKEN
stored in cookies by including it in the HTTP header X-XSRF-TOKEN
for every request made to any host. This issue can allow a remote attacker to bypass security measures and view sensitive data.
For more details, see (CVE-2023-45857).
CVE-2023-45286: go-resty
: HTTP request body disclosure in github.com/go-resty/resty/v2
A race condition in go-resty
can result in HTTP request body disclosure across requests. The race condition can be triggered when sync.Pool.Put
is called with the same bytes.Buffer
more than once during request retries. This can lead to a situation where an unrelated server receives the request body, potentially exposing sensitive information.
For more details, see (CVE-2023-45286).
CVE-2023-26364: CSS tools: Improper Input Validation causes Denial of Service via Regular
A flaw was found in Adobe CSS Tools. Operation input validation may result in a minor denial of service while parsing malicious CSS with the parse component. User interaction and privileges are not required to jeopardize an environment.
For more details, see (CVE-2023-26364).
CVE-2023-45287: Golang: crypto/tls
: Timing Side Channel Attack in an RSA-Based TLS Key exchanges
A flaw was found in the Golang crypto/tls
standard library. In versions before 1.20, the package was vulnerable to a Timing side-channel attack by observing the time it took for RSA-based Transport Layer Security (TLS) key exchanges, which was not constant. The flaw allowed for potential timing attacks, where the removal of PKCS#1
padding could have leaked and potentially exposed session key bits.
For more details, see (CVE2023-45287).
CVE-2023-39326: Golang: net/http/internal
: denial of service (DoS) caused by resource consumption from HTTP requests
A flaw was found in the Golang net/http/internal
package that could cause a malicious HTTP sender to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. This flaw could cause the receiver to fail to read the response, possibly leading to a denial of service (DoS).
For more details, see (CVE-2023-39326).
CVE-2023-48631: Improper Input Validation vulnerability affecting Adobe css-tools
A Regular Expression Denial of Service (ReDoS) flaw was found in Adobe’s css-tools
, versions 4.3.1 and earlier, when parsing CSS. This vulnerability could lead to a denial of service when attempting to parse CSS due to improper input validation and could allow an attacker to use an input string to cause a denial of service, especially when attempting to parse CSS.
For more details, see (CVE-2023-48631).
CVE-2023-26159: follow-redirects
package: Improper Input Validation caused by the improper handling of URLs by the url.parse()
function
An Improper Input Validation flaw was found in the follow-redirects
package, in versions before 1.15.4. due to the improper handling of URLs by the url.parse()
function. This flaw could be exploited by manipulating the hostname when the new URL()
throws an error, leading to a misinterpretation and potential redirection of traffic to a malicious site.
For more details, see (CVE-2023-26159).
CVE-2024-24786: A flaw was found in Golang’s protobuf module, where the unmarshal function can enter an infinite loop
A flaw was found in the protojson.Unmarshal
function that could cause the function to enter an infinite loop when unmarshaling certain forms of invalid JSON messages. This condition could occur when unmarshaling into a message that contained a google.protobuf.Any
value, or when the UnmarshalOptions.DiscardUnknown
option was set in a JSON-formatted message.
For more details, see (CVE-2024-24786).
CVE-2024-28849: follow-redirects
package: could cause a possible credential leak
A flaw was found in versions of the follow-redirects
package before 1.1.5. This flaw occurs when follow-redirects
handles cross-domain redirects. It fails to clear the proxy-authentication
header, which may contain credentials, while it clears the authorization header. As a result, this vulnerability could potentially lead to the leak of sensitive credentials.
For more details, see (CVE-2024-28849).
Fixed incorrect assessment status when running an assessment on two questionnaires
In MTA 7.0.2, running two questionnaires displayed the Assessment
status as Not started
instead of In progress
. With this update, the problem has been resolved. As a result, the Assessment status shows In progress
after one questionnaire or archetype is started.
Failure to connect to a Jira server using basic authentication
In MTA 7.0.2, connecting to a Jira server using basic authentication, meaning username and password, failed. This issue has been resolved in MTA 7.0.3. (MTA-2427)
Unable to activate the Enable insecure communication
switch
In MTA 7.0.2, it was not possible to enable on the Enable insecure communication
switch when creating or editing a Jira instance. This issue has been resolved in MTA 7.0.3. (MTA-2426)
Binary analysis fails for a JAR file that has no external dependencies
In MTA 7.0.2, the binary analysis failed for a Java archive (JAR) file that had no external dependencies. This issue has been resolved in MTA 7.0.3. (MTA-2661)
The IntelliJ IDE plugin’s key map actions are not functioning as expected.
In previous releases of MTA, the IntelliJ IDE plugin key map actions are not functioning as expected. Even though the MTA extension opens, it does not focus on it. Therefore, the other actions will not work. (MTA-2460)
For a complete list of all issues resolved in this release, see the list of Resolved Issues in Jira.