Apptainer (Singularity) setuid-mode Vulnerability (CVE-2022-1184)

2 views
Skip to first unread message

Fleury, Terry

unread,
Apr 27, 2023, 2:44:38 PM4/27/23
to cv-an...@trustedci.org

CI Operators:

Apptainer (formerly Singularity) has released an update to address a vulnerability [1] in setuid-root Apptainer installations which exposes local users to an unpatched use-after-free kernel vulnerability [2]. Note that this use-after-free vulnerability was patched in November 2022 for newer Linux distributions. However older unpatched Linux distributions, including RHEL 7 [3], Debian 10 "buster" [4], Ubuntu 18.04 "bionic", and Ubuntu 20.04 "focal" [5] are vulnerable.

 

Impact:

The use-after-free vulnerability can be exploited to attack the kernel for denial of service (DoS) and possible privilege escalation. 

 

Affected Software

  • Apptainer < v1.1.0
  • Installations that include apptainer-suid < v1.1.8
  • Singularity, all versions

 

Recommendation:

Update to the latest version of Apptainer [6] if you are using a Linux distribution which does not have a patch for the use-after-free vulnerability. Updated RHEL 7 packages can be found in EPEL's "epel-testing" repository. 

 

If you cannot update your Apptainer/Singularity installation now, there are two suggested "workarounds" listed at the bottom of the advisory [1]. 

 

References:

[1] https://github.com/advisories/GHSA-j4rf-7357-f4cg 

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1184 

[3] https://access.redhat.com/security/cve/cve-2022-1184

[4] https://security-tracker.debian.org/tracker/CVE-2022-1184

[5] https://ubuntu.com/security/CVE-2022-1184 

[6] https://github.com/apptainer/apptainer/releases/tag/v1.1.8 

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.


You are receiving this message because you are subscribed to cv-an...@trustedci.org. The archive of previous alerts is publicly accessible. If you prefer not to receive future alerts, you can unsubscribe.

Reply all
Reply to author
Forward
0 new messages