Skip to content

OSG-SEC-2019-05-14 Vulnerability in Singularity

Dear OSG users,

Impacted: Singularity 3.x.x, all versions Severity: High

The OSG Security Team wants to inform you that a high severity vulnerability has been announced for privileged installations of all Singularity 3.x.x versions. A new version with a fix to the vulnerability is being prepared by OSG. The current primary Singularity version supported by OSG, version 2.6.1, is not vulnerable. OSG does however support a 3.x.x version in the osg-upcoming yum repository and some sites have installed it.

We will send a follow up announcement when a new version is available, but meanwhile there is a mitigation, below.


If you are using privileged Singularity 3.x.x on a RHEL7-based distribution, while waiting for the new version either downgrade to version 2.6.1 or enable unprivileged Singularity [1] and set

    allow setuid = no

in singularity.conf.

If you are using Singularity 3.x.x on a RHEL6-based distribution, downgrade to version 2.6.1.


A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing//. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host [2] [3].





Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team