[RITL] Fw: Apptainer (Singularity) setuid-mode Vulnerability (CVE-2022-1184)
Chuck Forsyth
charles.forsyth at ucr.edu
Thu Apr 27 12:17:05 PDT 2023
FYI for our clusters that run containers.
________________________________
From: cv-announce at trustedci.org <cv-announce at trustedci.org> on behalf of Fleury, Terry <tfleury at illinois.edu>
Sent: Thursday, April 27, 2023 2:44 PM
To: cv-announce at trustedci.org <cv-announce at trustedci.org>
Subject: Apptainer (Singularity) setuid-mode Vulnerability (CVE-2022-1184)
CI Operators:
Apptainer (formerly Singularity) has released an update to address a vulnerability [1] in setuid-root Apptainer installations which exposes local users to an unpatched use-after-free kernel vulnerability [2]. Note that this use-after-free vulnerability was patched in November 2022 for newer Linux distributions. However older unpatched Linux distributions, including RHEL 7 [3], Debian 10 "buster" [4], Ubuntu 18.04 "bionic", and Ubuntu 20.04 "focal" [5] are vulnerable.
Impact:
The use-after-free vulnerability can be exploited to attack the kernel for denial of service (DoS) and possible privilege escalation.
Affected Software:
* Apptainer < v1.1.0
* Installations that include apptainer-suid < v1.1.8
* Singularity, all versions
Recommendation:
Update to the latest version of Apptainer [6] if you are using a Linux distribution which does not have a patch for the use-after-free vulnerability. Updated RHEL 7 packages can be found in EPEL's "epel-testing" repository.
If you cannot update your Apptainer/Singularity installation now, there are two suggested "workarounds" listed at the bottom of the advisory [1].
References:
[1] https://github.com/advisories/GHSA-j4rf-7357-f4cg
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1184
[3] https://access.redhat.com/security/cve/cve-2022-1184
[4] https://security-tracker.debian.org/tracker/CVE-2022-1184
[5] https://ubuntu.com/security/CVE-2022-1184
[6] https://github.com/apptainer/apptainer/releases/tag/v1.1.8
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.
You are receiving this message because you are subscribed to cv-announce at trustedci.org<mailto:cv-announce+subscribe at trustedci.org>. The archive of previous alerts<https://groups.google.com/a/trustedci.org/g/cv-announce> is publicly accessible. If you prefer not to receive future alerts, you can unsubscribe<mailto:cv-announce+unsubscribe at trustedci.org>.
--
You received this message because you are subscribed to the Google Groups "cv-announce at trustedci.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cv-announce+unsubscribe at trustedci.org<mailto:cv-announce+unsubscribe at trustedci.org>.
To view this discussion on the web visit https://groups.google.com/a/trustedci.org/d/msgid/cv-announce/CH0PR11MB5707BC933F6572997B305619DE6A9%40CH0PR11MB5707.namprd11.prod.outlook.com<https://groups.google.com/a/trustedci.org/d/msgid/cv-announce/CH0PR11MB5707BC933F6572997B305619DE6A9%40CH0PR11MB5707.namprd11.prod.outlook.com?utm_medium=email&utm_source=footer>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucr.edu/pipermail/ritl/attachments/20230427/a9f576e6/attachment.html>
More information about the RITL
mailing list