OSG-SEC-2021-12-16 Vulnerability in golang/Singularity
Dear OSG Security Contacts,
A security vulnerability in golang has been announced that can potentially lead to a vulnerability in singularity. The OSG security team considers the risk of this vulnerability to be MODERATE.
IMPACTED VERSIONS:
Any version of singularity compiled using golang 1.16.11 or older or using 1.17 through 1.17.4 is impacted. This includes EPEL singularity rpms 3.8.5-1 or earlier.
WHAT ARE THE VULNERABILITIES:
Prior to golang 1.16.12 and 1.17.5, the syscall.ForkExec function had a flaw that can result in output for one file descriptor to be redirected to another under conditions of running out of file descriptors [1]. Singularity uses that library call, so it is potentially affected [2]. There is no specific known exploit at this time, but especially for setuid-root installations it is better to ensure that a newly compiled version is installed.
WHAT YOU SHOULD DO:
Upgrade to a version of singularity compiled with the newer golang. For those using the EPEL rpms, upgrade to version 3.8.5-2 which is currently in epel-testing and should be promoted to epel by the end of next week.
REFERENCES
[1] https://groups.google.com/g/golang-announce/c/hcmEScgc00k [2] https://groups.google.com/u/1/a/lbl.gov/g/singularity/c/JwV-Mt8fyWc
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team