[RITL] FW: [cv-announce-l] Singularity Vulnerabilities (CVE-2020-25039 and CVE-2020-25040)

Wed Sep 16 13:25:17 PDT 2020

Forwarding this as we have some groups that use Singularity containers.

Regards,
Chuck Forsyth

From: Terry Fleury <tfleury at illinois.edu>
Sent: Wednesday, September 16, 2020 1:21 PM
To: cv-announce at trustedci.org
Subject: [cv-announce-l] Singularity Vulnerabilities (CVE-2020-25039 and CVE-2020-25040)

CI Operators:

Singularity has released v3.6.3 [1] which addresses two security vulnerabilities. These vulnerabilities involve insecure permissions on temporary directories when a container is executed (CVE-2020-25039 [2,3]) or built (CVE-2020-25040 [4,5]). In both cases, a user with access to the system could read information from and/or write arbitrary data to the temporary directories.

Impact:

A user with access to the system could read sensitive information from a temporary directory, or inject arbitrary content into a temporary build directory, allowing for unvetted code execution when the container is run.

Affected Software:

* Singularity < v3.6.3

Recommendation:

Upgrade to Singularity v3.6.3 at your earliest convenience. The issue is mitigated if TMPDIR is set to a location that is accessible only to the user, as any subdirectories directly under TMPDIR cannot be accessed by others. However, this is difficult to enforce so it is not recommended to rely on this mitigation.

References:

[1] https://github.com/hpcng/singularity/releases/tag/v3.6.3

[2] https://github.com/hpcng/singularity/security/advisories/GHSA-w6v2-qchm-grj7

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25039

[4] https://github.com/hpcng/singularity/security/advisories/GHSA-jv9c-w74q-6762

[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25040

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.

You are receiving this message because you are subscribed to cv-announce at trustedci.org<https://list.iu.edu/sympa/subscribe/cv-announce-l>. The archive of previous alerts<https://list.iu.edu/sympa/arc/cv-announce-l> is publicly accessible. If you prefer not to receive future alerts, you can unsubscribe<https://list.iu.edu/sympa/sigrequest/cv-announce-l>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucr.edu/pipermail/ritl/attachments/20200916/9cb12188/attachment.html>