Security issue in Singularity 3.5 - 3.6 (unsupported open source versions)

26 views
Skip to first unread message

David Trudgian

unread,
Jun 9, 2021, 5:41:47 PMJun 9
to Singularity Community Edition
As part of our long-term support work for SingularityPRO 3.5, Sylabs identified a security issue in Singularity 3.5.x & 3.6.x. Open source versions of Singularity 3.5.x & 3.6.x are no longer supported, and are not patched. This security issue is not relevant to the currently supported open source release of SingularityCE 3.8.0, nor Singularity 3.7.4.
  • CVE-2021-33622: If a custom remote endpoint is unavailable, or does not return a correct response, the action command will incorrectly fall back to using the default cloud.sylabs.io endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint. If the user's configured custom remote is inaccessible, either by co-incidence or through malicious action, a user may execute the malicious container. Note that this issue is distinct from CVE-2021-32635, which was addressed in the SingularityPRO 3.7-4 security release, as the circumstances that would result in execution of a malicious container are more limited, and remediation is different.
Following our security policy, a diff of the security content of the SingularityPRO 3.5 release is being provided at the URL below:

https://repo.sylabs.io/security/2021/CVE-2021-33622-35.diff

We strongly advise upgrading to the latest open source release vs tracking and applying individual patches.

edward kornkven

unread,
Jun 17, 2021, 5:43:15 PMJun 17
to Singularity Community Edition
Is version 3.7.3 free of this vulnerability?

Thanks,
Ed

David Trudgian

unread,
Jun 17, 2021, 6:02:05 PMJun 17
to Singularity Community Edition
3.7.3 does not contain the CVE-2021-33622... this exact vulnerability was *only* "in Singularity 3.5.x & 3.6.x".

However 3.7.3 *does* contain a security issue CVE-2021-32635 which is similar, but has a different, broader scope.

You should update to 3.7.4 or 3.8.0. You can see the details of the 3.7.4 security release from May 26th here:

https://groups.google.com/g/singularity-ce/c/QQBJKdJ_weQ
https://github.com/sylabs/singularity/releases/tag/v3.7.4

Cheers,

DT
Reply all
Reply to author
Forward
0 new messages