OSG-SEC-2018-04-19 [FOLLOW-UP] Critical Vulnerability in Singularity
Dear OSG Security Contacts,
This is a follow-up to the previously announced Critical vulnerability in singularity. OSG has released a new version singularity-2.4.6 that eliminates the vulnerability. Note that for the security fix the new version puts a restriction on combinations of options that do bind mounts, and this is known to currently cause CMS jobs to fail. CMS was notified but hasn’t yet had the resources to change their production pilot scripts, so CMS sites will probably want to wait to do the upgrade until they get a go-ahead from CMS. Sites that do not upgrade are encouraged to keep the previously announced mitigation in effect until they do upgrade.
All singularity versions from 2.2.1 and later on RHEL7 and its derivatives are affected.
WHAT YOU SHOULD DO:
- Upgrade to singularity-2.4.6 or leave the 'enable overlay = no' mitigation in place.
- When you upgrade, watch for /etc/singularity/singularity.conf.rpmnew and clean it up.
RELATED LINKS: - https://ticket.grid.iu.edu/36742
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team