CI Operators:
Apptainer (formerly Singularity) has released an update to address a vulnerability [1] in setuid-root Apptainer installations which exposes local users to an unpatched use-after-free kernel vulnerability [2]. Note that this use-after-free vulnerability was patched in November 2022 for newer Linux distributions. However older unpatched Linux distributions, including RHEL 7 [3], Debian 10 "buster" [4], Ubuntu 18.04 "bionic", and Ubuntu 20.04 "focal" [5] are vulnerable.
Impact:
The use-after-free vulnerability can be exploited to attack the kernel for denial of service (DoS) and possible privilege escalation.
Affected Software:
Recommendation:
Update to the latest version of Apptainer [6] if you are using a Linux distribution which does not have a patch for the use-after-free vulnerability. Updated RHEL 7 packages can be found in EPEL's "epel-testing" repository.
If you cannot update your Apptainer/Singularity installation now, there are two suggested "workarounds" listed at the bottom of the advisory [1].
References:
[1] https://github.com/advisories/GHSA-j4rf-7357-f4cg
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1184
[3] https://access.redhat.com/security/cve/cve-2022-1184
[4] https://security-tracker.debian.org/tracker/CVE-2022-1184
[5] https://ubuntu.com/security/CVE-2022-1184
[6] https://github.com/apptainer/apptainer/releases/tag/v1.1.8
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.
You are receiving this message because you are subscribed to
cv-an...@trustedci.org.
The archive of previous alerts is publicly accessible. If
you prefer not to receive future alerts, you can unsubscribe.