Release Notes

Table of Contents

• Making open source more inclusive
• 1. Introduction
• 2. MTR 1.2.3
  • 2.1. New features
  • 2.2. Known issues
  • 2.3. Resolved issues
• 3. MTR 1.2.2
  • 3.1. Known issues
  • 3.2. Resolved issues
• 4. MTR 1.2.1
  • 4.1. Known issues
  • 4.2. Resolved issues
• 5. MTR 1.2.0
  • 5.1. New features
    • 5.1.1. New rulesets and targets
  • 5.2. Known issues
  • 5.3. Resolved issues

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

1. Introduction

Migration Toolkit for Runtimes (MTR) provides an extensible and customizable rule-based tool that simplifies the migration and modernization of Java applications, such as migrating JBoss Enterprise Application Platform (EAP) 7 to 8 or migrating from any other application server towards EAP at scale. MTR provides the same migration solution as provided in the Migration Toolkit for Applications 5 releases.

These release notes cover all Z-stream releases of MTR 1.2 with the most recent release listed first.

2. MTR 1.2.3

2.1. New features

This section describes the new features of the Migration Toolkit for Runtimes (MTR) 1.2.3:

1. New rules support for Camel 4.1.

2. New rules support the migration of Java EE applications to Quarkus.

2.2. Known issues

For a complete list of all known issues, see the list of MTR 1.2.3 known issues in Jira.

2.3. Resolved issues

CVE-2023-1436 org.keycloak-keycloak-parent: Jettison: Uncontrolled Recursion in JSONArray

A flaw in Jettison, which was utilized by MTR, triggers an infinite recursion when constructing a JSONarray from a Collection where one of the elements self-references. This flaw throws a StackOverflowError exception. (WINDUP-3772)

For more details, see CVE-2023-1436

For a complete list of all issues resolved in this release, see the list of MTR 1.2.3 resolved issues in Jira.

3. MTR 1.2.2

3.1. Known issues

For a complete list of all known issues, see the list of MTR 1.2.2 known issues in Jira.

3.2. Resolved issues

CVE-2023-44487 netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

A flaw was found in handling multiplexed streams in the HTTP/2 protocol, which was utilized by Migration Toolkit for Runtimes (MTR). A client could repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates additional workload for the server in terms of setting up and dismantling streams, while avoiding any server-side limitations on the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. (WINDUP-4072)

For more details, see (CVE-2023-44487)

CVE-2023-37460 plexus-archiver: Arbitrary File Creation in AbstractUnArchiver

A flaw was found in the Plexus Archiver, which was utilized by MTR. While using AbstractUnArchiver for extracting, an archive could lead to arbitrary file creation and possible remote code execution (RCE). This flaw will bypass directory destination verification if an archive with an entry in the destination directory as a symbolic link whose target does not exist. The plexus-archiver is a test scoped artifact so not included in any of the MTR distributions. (WINDUP-4053)

For more details, see (CVE-2023-37460)

EAP 7.3 and EAP 7.4 rules with target EAP 7.0 and above

This MTR release makes a correction to some rules to support migrating to EAP 7.3 and above, to ensure the rules are ignored if the target is EAP 7.2 or below. (WINDUPRULE-1038)

4. MTR 1.2.1

4.1. Known issues

For a complete list of all known issues, see the list of MTR 1.2.1 known issues in Jira.

4.2. Resolved issues

CVE-2023-44487 netty-codec-http2: HTTP/2

Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack). The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly. (WINDUP-4056)

For a complete list of all issues resolved in this release, see the list of MTR 1.2.1 resolved issues in Jira.

5. MTR 1.2.0

5.1. New features

This section describes the new features of the Migration Toolkit for Runtimes (MTR) 1.2.0.

1. Decompilation and analysis of applications based on Java 17

2. Rules Override enhancement: A new condition has been added for overriding an existing rule. In addition to matching rulesetId and ruleId, the target technology in the override ruleset must match one of the targets that the user specified for running the analysis.

3. Eclipse Plugin Java 17 compatibility

4. Upgrade of the Windup Operator: Adopted Quarkus 2.13.7.Final and the Quarkus Operator SDK 4.0.8

5.1.1. New rulesets and targets

1. OpenJDK 21: Rules to support the upgrading to OpenJDK 21.

2. Red Hat JBoss Web Server 6: Rules to support the upgrade of JWS and Tomcat applications to JWS 6 and Tomcat 10.

3. Camel 4: Comprehensive rulesets supporting upgrade to all Y-stream releases of Camel 3 and Camel 4.

4. More migration rules to support Red Hat JBoss EAP 8 and Hibernate 6.

5. Java/Jakarta EE to Quarkus: New rulesets support migrating Java/Jakarta EE applications to Quarkus 3. These rulesets cover the quarkification of the project, along with JAX-RS and CDI technologies. Additional rules that support this migration path are still under development and will be made available in future Z-stream releases.

5.2. Known issues

For a complete list of all known issues, see the list of MTR 1.2.0 known issues in Jira.

5.3. Resolved issues

For a complete list of all issues resolved in this release, see the list of MTR 1.2.0 resolved issues in Jira.