As part of our long-term support work for SingularityPRO 3.5, Sylabs identified a security issue in Singularity 3.5.x & 3.6.x. Open source versions of Singularity 3.5.x & 3.6.x are no longer supported, and are not patched. This security issue is not relevant to the currently supported open source release of SingularityCE 3.8.0, nor Singularity 3.7.4.
- CVE-2021-33622: If a custom remote endpoint is unavailable, or does not return a correct response, the action command will incorrectly fall back to using the default cloud.sylabs.io endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint. If the user's configured custom remote is inaccessible, either by co-incidence or through malicious action, a user may execute the malicious container. Note that this issue is distinct from CVE-2021-32635, which was addressed in the SingularityPRO 3.7-4 security release, as the circumstances that would result in execution of a malicious container are more limited, and remediation is different.
Following our security policy, a diff of the security content of the SingularityPRO 3.5 release is being provided at the URL below:https://repo.sylabs.io/security/2021/CVE-2021-33622-35.diff
We strongly advise upgrading to the latest open source release vs tracking and applying individual patches.