<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
FYI for our clusters that run containers.</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> cv-announce@trustedci.org <cv-announce@trustedci.org> on behalf of Fleury, Terry <tfleury@illinois.edu><br>
<b>Sent:</b> Thursday, April 27, 2023 2:44 PM<br>
<b>To:</b> cv-announce@trustedci.org <cv-announce@trustedci.org><br>
<b>Subject:</b> Apptainer (Singularity) setuid-mode Vulnerability (CVE-2022-1184)</font>
<div> </div>
</div>
<style>
<!--
@font-face
{font-family:Wingdings}
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
a:link, span.x_MsoHyperlink
{color:#0563C1;
text-decoration:underline}
a:visited, span.x_MsoHyperlinkFollowed
{color:#954F72;
text-decoration:underline}
span.x_EmailStyle17
{font-family:"Calibri",sans-serif;
color:windowtext}
span.x_SpellE
{}
.x_MsoChpDefault
{font-family:"Calibri",sans-serif}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.x_WordSection1
{}
ol
{margin-bottom:0in}
ul
{margin-bottom:0in}
-->
</style>
<div lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="x_WordSection1">
<p style="margin:0in"><b><span style="font-family:"Arial",sans-serif; color:black">CI Operators</span></b><span style="font-family:"Arial",sans-serif; color:black">:</span></p>
<p style="margin:0in"><span class="x_SpellE"><span style="font-family:"Arial",sans-serif; color:black">Apptainer</span></span><span style="font-family:"Arial",sans-serif; color:black"> (formerly Singularity) has released an update to address a vulnerability
[1] in <span class="x_SpellE">setuid</span>-root <span class="x_SpellE">Apptainer</span> installations which exposes local users to an unpatched use-after-free kernel vulnerability [2]. Note that this use-after-free vulnerability was patched in November 2022
for newer Linux distributions. However older unpatched Linux distributions, including RHEL 7 [3], Debian 10 "buster" [4], Ubuntu 18.04 "bionic", and Ubuntu 20.04 "focal" [5] are vulnerable.</span></p>
<p class="x_MsoNormal"> </p>
<p style="margin:0in"><b><span style="font-family:"Arial",sans-serif; color:black">Impact</span></b><span style="font-family:"Arial",sans-serif; color:black">:</span></p>
<p style="margin:0in"><span style="font-family:"Arial",sans-serif; color:black">The use-after-free vulnerability can be exploited to attack the kernel for denial of service (DoS) and possible privilege escalation. </span></p>
<p class="x_MsoNormal"> </p>
<p style="margin:0in"><b><span style="font-family:"Arial",sans-serif; color:black">Affected Software</span></b><span style="font-family:"Arial",sans-serif; color:black">: </span></p>
<ul type="disc" style="margin-top:0in">
<li style="color:black; margin-top:0in; margin-bottom:0in; vertical-align:baseline">
<span class="x_SpellE"><span style="font-family:"Arial",sans-serif">Apptainer</span></span><span style="font-family:"Arial",sans-serif"> < v1.1.0</span></li><li style="color:black; margin-top:0in; margin-bottom:0in; vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">Installations that include <span class="x_SpellE">
apptainer-suid</span> < v1.1.8</span></li><li style="color:black; margin-top:0in; margin-bottom:0in; vertical-align:baseline">
<span style="font-family:"Arial",sans-serif">Singularity, all versions</span></li></ul>
<p class="x_MsoNormal"><span style=""> </span></p>
<p style="margin:0in"><b><span style="font-family:"Arial",sans-serif; color:black">Recommendation</span></b><span style="font-family:"Arial",sans-serif; color:black">:</span></p>
<p style="margin:0in"><span style="font-family:"Arial",sans-serif; color:black">Update to the latest version of
<span class="x_SpellE">Apptainer</span> [6] if you are using a Linux distribution which does not have a patch for the use-after-free vulnerability. Updated RHEL 7 packages can be found in EPEL's "<span class="x_SpellE">epel</span>-testing" repository. </span></p>
<p class="x_MsoNormal"> </p>
<p style="margin:0in"><span style="font-family:"Arial",sans-serif; color:black">If you cannot update your
<span class="x_SpellE">Apptainer</span>/Singularity installation now, there are two suggested "workarounds" listed at the bottom of the advisory [1]. </span></p>
<p class="x_MsoNormal"> </p>
<p style="margin:0in"><b><span style="font-family:"Arial",sans-serif; color:black">References</span></b><span style="font-family:"Arial",sans-serif; color:black">:</span></p>
<p style="margin:0in"><span style="font-family:"Arial",sans-serif; color:black">[1]
</span><a href="https://github.com/advisories/GHSA-j4rf-7357-f4cg"><span style="font-family:"Arial",sans-serif; color:#1155CC">https://github.com/advisories/GHSA-j4rf-7357-f4cg</span></a><span style="font-family:"Arial",sans-serif; color:black"> </span></p>
<p style="margin:0in"><span style="font-family:"Arial",sans-serif; color:black">[2]
</span><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1184"><span style="font-family:"Arial",sans-serif; color:#1155CC">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1184</span></a><span style="font-family:"Arial",sans-serif; color:black"> </span></p>
<p style="margin:0in"><span style="font-family:"Arial",sans-serif; color:black">[3]
</span><a href="https://access.redhat.com/security/cve/cve-2022-1184"><span style="font-family:"Arial",sans-serif; color:#1155CC">https://access.redhat.com/security/cve/cve-2022-1184</span></a></p>
<p style="margin:0in"><span style="font-family:"Arial",sans-serif; color:black">[4]
</span><a href="https://security-tracker.debian.org/tracker/CVE-2022-1184"><span style="font-family:"Arial",sans-serif; color:#1155CC">https://security-tracker.debian.org/tracker/CVE-2022-1184</span></a></p>
<p style="margin:0in"><span style="font-family:"Arial",sans-serif; color:black">[5]
</span><a href="https://ubuntu.com/security/CVE-2022-1184"><span style="font-family:"Arial",sans-serif; color:#1155CC">https://ubuntu.com/security/CVE-2022-1184</span></a><span style="font-family:"Arial",sans-serif; color:black"> </span></p>
<p style="margin:0in"><span style="font-family:"Arial",sans-serif; color:black">[6]
</span><a href="https://github.com/apptainer/apptainer/releases/tag/v1.1.8"><span style="font-family:"Arial",sans-serif; color:#1155CC">https://github.com/apptainer/apptainer/releases/tag/v1.1.8</span></a><span style="font-family:"Arial",sans-serif; color:black"> </span></p>
<p class="x_MsoNormal" style="margin-bottom:12.0pt"> </p>
<p style="margin:0in"><b><span style="font-family:"Arial",sans-serif; color:black">How Trusted CI can help</span></b><span style="font-family:"Arial",sans-serif; color:black">:</span></p>
<p style="margin:0in"><span style="font-family:"Arial",sans-serif; color:black">The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment.
Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (</span><a href="https://trustedci.org/help/"><span style="font-family:"Arial",sans-serif; color:#1155CC">https://trustedci.org/help/</span></a><span style="font-family:"Arial",sans-serif; color:black">)
if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.</span></p>
<p class="x_MsoNormal"><br>
<span style="font-family:"Arial",sans-serif; color:black">You are receiving this message because you are subscribed to
</span><a href="mailto:cv-announce+subscribe@trustedci.org"><span style="font-family:"Arial",sans-serif; color:#1155CC">cv-announce@trustedci.org</span></a><span style="font-family:"Arial",sans-serif; color:black">.
</span><a href="https://groups.google.com/a/trustedci.org/g/cv-announce"><span style="font-family:"Arial",sans-serif; color:#1155CC">The archive of previous alerts</span></a><span style="font-family:"Arial",sans-serif; color:black"> is publicly accessible.
If you prefer not to receive future alerts, </span><a href="mailto:cv-announce+unsubscribe@trustedci.org"><span style="font-family:"Arial",sans-serif; color:#1155CC">you can unsubscribe</span></a><span style="font-family:"Arial",sans-serif; color:black">.</span></p>
</div>
<p></p>
-- <br>
You received this message because you are subscribed to the Google Groups "cv-announce@trustedci.org" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an email to
<a href="mailto:cv-announce+unsubscribe@trustedci.org">cv-announce+unsubscribe@trustedci.org</a>.<br>
To view this discussion on the web visit <a href="https://groups.google.com/a/trustedci.org/d/msgid/cv-announce/CH0PR11MB5707BC933F6572997B305619DE6A9%40CH0PR11MB5707.namprd11.prod.outlook.com?utm_medium=email&utm_source=footer">
https://groups.google.com/a/trustedci.org/d/msgid/cv-announce/CH0PR11MB5707BC933F6572997B305619DE6A9%40CH0PR11MB5707.namprd11.prod.outlook.com</a>.<br>
</div>
</body>
</html>