Security issue in Singularity 3.5 - 3.6 (unsupported open source versions)
37 views
Skip to first unread message
David Trudgian
Jun 9, 2021, 5:41:47 PM6/9/21
to Singularity Community Edition
As part of our long-term support work for SingularityPRO 3.5, Sylabs identified a security issue in Singularity 3.5.x & 3.6.x. Open source versions of Singularity 3.5.x & 3.6.x are no longer supported, and are not patched. This security issue is not relevant to the currently supported open source release of SingularityCE 3.8.0, nor Singularity 3.7.4.
https://repo.sylabs.io/security/2021/CVE-2021-33622-35.diff
We strongly advise upgrading to the latest open source release vs tracking and applying individual patches.
- CVE-2021-33622: If a custom remote endpoint is unavailable, or does not return a correct response, the action command will incorrectly fall back to using the default cloud.sylabs.io endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint. If the user's configured custom remote is inaccessible, either by co-incidence or through malicious action, a user may execute the malicious container. Note that this issue is distinct from CVE-2021-32635, which was addressed in the SingularityPRO 3.7-4 security release, as the circumstances that would result in execution of a malicious container are more limited, and remediation is different.
https://repo.sylabs.io/security/2021/CVE-2021-33622-35.diff
We strongly advise upgrading to the latest open source release vs tracking and applying individual patches.
edward kornkven
Jun 17, 2021, 5:43:15 PM6/17/21
to Singularity Community Edition
Is version 3.7.3 free of this vulnerability?
Thanks,
Ed
David Trudgian
Jun 17, 2021, 6:02:05 PM6/17/21
to Singularity Community Edition
3.7.3 does not contain the CVE-2021-33622... this exact vulnerability was *only* "in Singularity 3.5.x & 3.6.x".
However 3.7.3 *does* contain a security issue CVE-2021-32635 which is similar, but has a different, broader scope.
You should update to 3.7.4 or 3.8.0. You can see the details of the 3.7.4 security release from May 26th here:
https://groups.google.com/g/singularity-ce/c/QQBJKdJ_weQ
https://github.com/sylabs/singularity/releases/tag/v3.7.4
https://groups.google.com/g/singularity-ce/c/QQBJKdJ_weQ
https://github.com/sylabs/singularity/releases/tag/v3.7.4
Cheers,
DT
Reply all
Reply to author
Forward
0 new messages