OSG-SEC-2021-05-27 Vulnerability in Singularity
Dear OSG Security Contacts,
A security vulnerability in Singularity has been publicly announced [1]. Under conditions unlikely to occur for OSG users, it is possible for someone to publish a malicious container that takes priority over a container that a user is expecting to run.
The OSG Security team considers the vulnerability to be of MODERATE severity.
IMPACTED VERSIONS:
Singularity 3.7.2 and 3.7.3
WHAT ARE THE VULNERABILITIES:
By default, singularity commands that use “library://” for downloading containers read those containers from https://cloud.sylabs.io. That is a publicly accessible server and anyone may freely create an account there for storing containers, similar to Docker Hub. Users can also choose to redirect “library://” references to a private server with the singularity “remote” command. The vulnerability is that the singularity action commands (run/shell/exec) always try to download from https://cloud.sylabs.io first, so someone could publish a container there with the same name as a container on the private server and the untrusted container from the public server would instead be used.
WHAT YOU SHOULD DO:
If you have Singularity 3.7.2 or 3.7.3 installed and think some of your users might be using a private server for library:// containers, notify them to either not use it until 3.7.4 is available in EPEL or to create an identical account name for themselves on https://cloud.sylabs.io.
REFERENCES
[1] https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team