OSG-SEC-2021-12-16 Vulnerability in golang/Singularity
Dear OSG Security Contacts,
A security vulnerability in golang has been announced that can potentially lead to a vulnerability in singularity. The OSG security team considers the risk of this vulnerability to be MODERATE.
Any version of singularity compiled using golang 1.16.11 or older or using 1.17 through 1.17.4 is impacted. This includes EPEL singularity rpms 3.8.5-1 or earlier.
WHAT ARE THE VULNERABILITIES:
Prior to golang 1.16.12 and 1.17.5, the syscall.ForkExec function had a flaw that can result in output for one file descriptor to be redirected to another under conditions of running out of file descriptors . Singularity uses that library call, so it is potentially affected . There is no specific known exploit at this time, but especially for setuid-root installations it is better to ensure that a newly compiled version is installed.
WHAT YOU SHOULD DO:
Upgrade to a version of singularity compiled with the newer golang. For those using the EPEL rpms, upgrade to version 3.8.5-2 which is currently in epel-testing and should be promoted to epel by the end of next week.
 https://groups.google.com/g/golang-announce/c/hcmEScgc00k  https://groups.google.com/u/1/a/lbl.gov/g/singularity/c/JwV-Mt8fyWc
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team