Release Notes

Table of Contents

• Making open source more inclusive
• 1. Introduction
• 2. MTR 1.2.6
  • 2.1. Known issues
  • 2.2. Resolved issues
• 3. MTR 1.2.5
  • 3.1. New features
  • 3.2. Known issues
  • 3.3. Resolved issues
• 4. MTR 1.2.4
  • 4.1. New features
  • 4.2. Known issues
  • 4.3. Resolved issues
• 5. MTR 1.2.3
  • 5.1. New features
  • 5.2. Known issues
  • 5.3. Resolved issues
• 6. MTR 1.2.2
  • 6.1. Known issues
  • 6.2. Resolved issues
• 7. MTR 1.2.1
  • 7.1. Known issues
  • 7.2. Resolved issues
• 8. MTR 1.2.0
  • 8.1. New features
    • 8.1.1. New rulesets and targets
  • 8.2. Known issues
  • 8.3. Resolved issues

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

1. Introduction

Migration Toolkit for Runtimes (MTR) provides an extensible and customizable rule-based tool that simplifies the migration and modernization of Java applications, such as migrating JBoss Enterprise Application Platform (EAP) 7 to 8 or migrating from any other application server towards EAP at scale. MTR provides the same migration solution as provided in the Migration Toolkit for Applications 5 releases.

These release notes cover all Z-stream releases of MTR 1.2 with the most recent release listed first.

2. MTR 1.2.6

2.1. Known issues

The following known issues are in the MTR 1.2.6 release:

Unable to migrate an application to MTR due to a SEVERE [org.jboss.windup.web.services.messaging.PackageDiscoveryMDB] error

When uploading files for analysis, the server log would return a SEVERE [org.jboss.windup.web.services.messaging.PackageDiscoveryMDB] error. This error is caused by a null: java.lang.NullPointerException. (WINDUP-4189)

For a complete list of all known issues, see the list of MTR 1.2.6 known issues in Jira.

2.2. Resolved issues

MTR 1.2.6 has the following resolved issues:

CVE-2024-1132: org.keycloak-keycloak-parent: keycloak path transversal in redirection validation

A flaw was discovered in Keycloak, where it does not properly validate URLs included in a redirect. This flaw could allow an attacker to construct a malicious request to bypass validation, access other URLs and sensitive information within the domain, or conduct further attacks. Users are recommended to upgrade to MTR 1.2.6, which resolves this issue.

For more details, see (CVE-2024-1132).

CVE-2023-45857: Axios 1.5 exposes confidential data stored in cookies

A flaw was discovered in Axios 1.5.1 that accidentally revealed the confidential XSRF-TOKEN, stored in cookies, by including it in the HTTP header X-XSRF-TOKEN for every request made to any host, thereby allowing attackers to view sensitive information. Users are recommended to upgrade to MTR 1.2.6, which resolves this issue.

For more details, see (CVE-2023-45857).

CVE-2024-28849: follow-redirects package clears authorization headers

A flaw was discovered in the follow-redirects package, which clears authorization headers, but it fails to clear the proxy-authentication headers. This flaw could lead to credential leakage, which could have a high impact on data confidentiality. Users are recommended to upgrade to MTR 1.2.6, which resolves this issue.

For more details, see (CVE-2024-28849)

CVE-2024-29131: Out-of-bounds Write vulnerability in Apache Commons Configuration

A vulnerability was found in Apache Commons-Configuration2, where a Stack Overflow Error can occur when adding a property in the AbstractListDelimiterHandler.flattenIterator() method. This issue could allow an attacker to corrupt memory or execute a denial of service (DoS) attack by crafting a malicious property that triggers an out-of-bounds write issue when processed by the vulnerable method. Users are recommended to upgrade to MTR 1.2.6, which resolves this issue.

For more details, see (CVE-2024-29131)

CVE-2024-29133: Out-of-bounds Write vulnerability in Apache Commons Configuration

A vulnerability was found in Apache Commons-Configuration2, where a Stack Overflow Error occurs when calling the ListDelimiterHandler.flatten(Object, int) method with a cyclical object tree. This issue could allow an attacker to trigger an out-of-bounds write that could lead to memory corruption or cause a denial of service (DoS) attach. Users are recommended to upgrade to MTR 1.2.6, which resolves this issue.

For more details, see (CVE-2024-29133)

CVE-2024-29180: webpack-dev-middleware lack of URL validation may lead to a file leak

A flaw was found in the webpack-dev-middleware package, where it failed to validate the supplied URL address sufficiently before returning local files. This flaw allows an attacker to craft URLs to return arbitrary local files from the developer’s machine. The lack of normalization before calling the middleware also allows the attacker to perform path traversal attacks on the target environment. Users are recommended to upgrade to MTR 1.2.6, which resolves this issue.

For more details, see (CVE-2024-29180)

CVE-2023-4639: org.keycloak-keycloak-parent undertow Cookie Smuggling and Spoofing

A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This vulnerability has the potential to enable an attacker to construct a cookie value to intercept HttpOnly cookie values or spoof arbitrary additional cookie values, resulting in unauthorized data access or modification. Users are recommended to upgrade to MTR 1.2.6, which resolves this issue.

For more details, see (CVE-2023-4639).

CVE-2023-36479: com.google.guava-guava-parent improper addition of quotation marks to user inputs in Jetty CGI Servlet

A flaw was found in Jetty’s org.eclipse.jetty.servlets.CGI Servlet, which permits incorrect command execution in specific circumstances, such as requests with certain characters in requested filenames. This issue could allow an attacker to run permitted commands besides the ones requested. Users are recommended to upgrade to MTR 1.2.6, which resolves this issue.

For more details, see (CVE-2023-36479).

CVE-2023-26364: css-tools improper input validation causes denial of service

A flaw was found in @adobe/css-tools, which could potentially lead to a minor denial of service (DoS) when parsing CSS. User interaction and privileges are not required to jeopardize an environment. Users are recommended to upgrade to MTR 1.2.6, which resolves this issue.

For more details, see (CVE-2023-26364).

CVE-2023-48631: css-tools: regular expression denial of service

A flaw was found in @adobe/css-tools, which could lead to a regular expression denial of service (ReDoS) when attempting to parse CSS. Users are recommended to upgrade to MTR 1.2.6, which resolves this issue.

For more details, see (CVE-2023-48631).

For a complete list of all issues resolved in this release, see the list of MTR 1.2.6 resolved issues in Jira.

3. MTR 1.2.5

3.1. New features

Migration Toolkit for Runtimes (MTR) 1.2.5 has the following new features:

New ruleset for MicroProfile metrics replaces old ruleset

A new ruleset for MicroProfile (MP) metrics replaces the old ruleset. (WINDUPRULE-1043)

New ruleset for MicroProfile OpenTracing replaces the old ruleset

A new ruleset for MicroProfile (MP) OpenTracing replaces the old ruleset. (WINDUPRULE-1044)

3.2. Known issues

There are no major known issues in this Migration Toolkit for Runtimes (MTR) 1.2.5 release.

For a complete list of all known issues, see the list of MTR 1.2.5 known issues in Jira.

3.3. Resolved issues

Migration Toolkit for Runtimes (MTR) 1.2.5 resolves the following issues:

CVE-2024-25710 commons-compress: Denial of service caused by an infinite loop

A loop with an unreachable exit condition, meaning an Infinite Loop, vulnerability, was found in Apache Common Compress. This issue could have led to a denial of service. This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to MTR 1.2.5, which resolves this issue.

For more details, see (CVE-2024-25710).

CVE-2024-26308 commons-compress: OutOfMemoryError

An allocation of resources without limits or throttling vulnerability was found in Apache Commons Compress. This issue could lead to an out-of-memory error (OOM). This issue affects Apache Commons Compress, from 1.21 to 1.26. Users are recommended to upgrade to MTR 1.2.5, which resolves this issue.

For more details, see (CVE-2024-26308).

CVE-2024-1300: A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in Transmission Control Protocol (TCP) servers configured with TLS and SNI support. When processing an unknown Server Name Indication (SNI) server name assigned the default certificate instead of a mapped certificate, the Secure Sockets Layer (SSL) context is erroneously cached in the server name map, leading to memory exhaustion. This affects only TLS servers with SNI enabled. Users are recommended to upgrade to MTR 1.2.5, which resolves this issue.

For more details, see (CVE-2024-1300).

For a complete list of all issues resolved in this release, see the list of MTR 1.2.5 resolved issues in Jira.

4. MTR 1.2.4

4.1. New features

This section describes the new features of the Migration Toolkit for Runtimes (MTR) 1.2.4:

1. New rules support the migration of Red Hat JBoss Enterprise Application Platform (EAP 7) to EAP 8.

2. New rules support the migration of Jakarta EE applications to Quarkus.

4.2. Known issues

For a complete list of all known issues, see the list of MTR 1.2.4 known issues in Jira.

4.3. Resolved issues

CVE-2023-26159: follow-redirects package before 1.15.4 are vulnerable to Improper Input Validation

Versions of the follow-redirects package before 1.15.4 are vulnerable to Improper Input Validation. This vulnerability is due to the improper handling of URLs by the url.parse() function. When a new URL returns an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

For more details, see (CVE-2023-26159).

CVE-2022-25883: Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the node-semver package

Versions of the semver npm package before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS). This ReDoS vulnerability comes from the new Range function, when untrusted user data is provided as a range.

For more details, see (CVE-2022-25883).

CVE-2023-26136: tough-cookie package before 4.1.3 are vulnerable to Prototype Pollution

Versions of the tough-cookie package before 4.1.3 are vulnerable to Prototype Pollution. This vulnerability is due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

For more details, see (CVE-2023-26136).

CVE-2023-35116: jackson-databind before 2.15.2 are vulnerable to Denial of Service or other unspecified impact

Versions of the jackson-databind library before 2.15.2 are vulnerable to Denial of Service (DoS) attacks or other unspecified impacts using a crafted object that uses cyclic dependencies.

For more details, see (CVE-2023-35116).

For a complete list of all issues resolved in this release, see the list of MTR 1.2.4 resolved issues in Jira.

5. MTR 1.2.3

5.1. New features

This section describes the new features of the Migration Toolkit for Runtimes (MTR) 1.2.3:

1. New rules support for Camel 4.1.

2. New rules support the migration of Java EE applications to Quarkus.

5.2. Known issues

For a complete list of all known issues, see the list of MTR 1.2.3 known issues in Jira.

5.3. Resolved issues

CVE-2023-1436 org.keycloak-keycloak-parent: Jettison: Uncontrolled Recursion in JSONArray

A flaw in Jettison, which was utilized by MTR, triggers an infinite recursion when constructing a JSONarray from a Collection where one of the elements self-references. This flaw throws a StackOverflowError exception. (WINDUP-3772)

For more details, see CVE-2023-1436

For a complete list of all issues resolved in this release, see the list of MTR 1.2.3 resolved issues in Jira.

6. MTR 1.2.2

6.1. Known issues

For a complete list of all known issues, see the list of MTR 1.2.2 known issues in Jira.

6.2. Resolved issues

CVE-2023-44487 netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

A flaw was found in handling multiplexed streams in the HTTP/2 protocol, which was utilized by Migration Toolkit for Runtimes (MTR). A client could repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates additional workload for the server in terms of setting up and dismantling streams, while avoiding any server-side limitations on the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. (WINDUP-4072)

For more details, see (CVE-2023-44487)

CVE-2023-37460 plexus-archiver: Arbitrary File Creation in AbstractUnArchiver

A flaw was found in the Plexus Archiver, which was utilized by MTR. While using AbstractUnArchiver for extracting, an archive could lead to arbitrary file creation and possible remote code execution (RCE). This flaw will bypass directory destination verification if an archive with an entry in the destination directory as a symbolic link whose target does not exist. The plexus-archiver is a test scoped artifact so not included in any of the MTR distributions. (WINDUP-4053)

For more details, see (CVE-2023-37460)

EAP 7.3 and EAP 7.4 rules with target EAP 7.0 and above

This MTR release makes a correction to some rules to support migrating to EAP 7.3 and above, to ensure the rules are ignored if the target is EAP 7.2 or below. (WINDUPRULE-1038)

7. MTR 1.2.1

7.1. Known issues

For a complete list of all known issues, see the list of MTR 1.2.1 known issues in Jira.

7.2. Resolved issues

CVE-2023-44487 netty-codec-http2: HTTP/2

Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack). The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly. (WINDUP-4056)

For a complete list of all issues resolved in this release, see the list of MTR 1.2.1 resolved issues in Jira.

8. MTR 1.2.0

8.1. New features

This section describes the new features of the Migration Toolkit for Runtimes (MTR) 1.2.0.

1. Decompilation and analysis of applications based on Java 17

2. Rules Override enhancement: A new condition has been added for overriding an existing rule. In addition to matching rulesetId and ruleId, the target technology in the override ruleset must match one of the targets that the user specified for running the analysis.

3. Eclipse Plugin Java 17 compatibility

4. Upgrade of the Windup Operator: Adopted Quarkus 2.13.7.Final and the Quarkus Operator SDK 4.0.8

8.1.1. New rulesets and targets

1. OpenJDK 21: Rules to support the upgrading to OpenJDK 21.

2. Red Hat JBoss Web Server 6: Rules to support the upgrade of JWS and Tomcat applications to JWS 6 and Tomcat 10.

3. Camel 4: Comprehensive rulesets supporting upgrade to all Y-stream releases of Camel 3 and Camel 4.

4. More migration rules to support Red Hat JBoss EAP 8 and Hibernate 6.

5. Java/Jakarta EE to Quarkus: New rulesets support migrating Java/Jakarta EE applications to Quarkus 3. These rulesets cover the quarkification of the project, along with JAX-RS and CDI technologies. Additional rules that support this migration path are still under development and will be made available in future Z-stream releases.

8.2. Known issues

For a complete list of all known issues, see the list of MTR 1.2.0 known issues in Jira.

8.3. Resolved issues

For a complete list of all issues resolved in this release, see the list of MTR 1.2.0 resolved issues in Jira.