Title: EGI SVG 'ADVISORY' [TLP:WHITE] Singularity - file overwrite
vulnerability [EGI-SVG-CVE-2020-15229]
Date: 2020-10-20
Updated:
Affected software and risk
==========================
Package : Singularity
CVE ID : CVE-2020-15229
A path traversal and file overwrite vulnerability with "unsquashfs" has been
announced, see [R 1].
This may allow files to be overwritten in various scenarios, but it is not
clear how likely it is for the vulnerability to be exploitable in our
environment.
Actions required/recommended
============================
Sites and users with their own Singularity installations are advised to update
Singularity as soon as it is convenient.
If anyone becomes aware of any situation where this vulnerability may have a
significant impact on the EGI infrastructure, then please inform EGI SVG.
Component installation information
==================================
See [R 1]
Mitigation
==========
No mitigating action has been identified, sites and users are advised to update
in due course.
Affected software details
=========================
Singularity versions 3.1.1 - 3.6.3 are affected
This issue is fixed in version 3.6.4
More information
================
Sites are reminded that they are recommended to enable unprivileged user
namespaces on their worker nodes [R 2]
If it is found that this vulnerability looks exploitable in the EGI
environment, then the EGI SVG will re-examine the issue and assess the risk. It
is possible then that sites may be asked to update urgently.
Users who build their own containers should be careful what they include
especially what they include from the web and avoid doing things as 'root' as
much as possible.
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2020-15229
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 3]
Note that this is undergoing revision to fully handle vulnerabilities in the
EOSC-hub era.
References
==========
[R 1] https://github.com/hpcng/singularity/security/advisories/GHSA-7gcp-w6ww-2xv9
[R 2] https://advisories.egi.eu/Advisory-SVG-2020-16648
[R 3] https://documents.egi.eu/public/ShowDocument?docid=3145
Credit
======
SVG was alerted to this vulnerability by Dave Dykstra
Timeline
========
Yyyy-mm-dd [EGI-SVG-2020-CVE-2020-15229]
2020-10-13 SVG alerted to this issue by Dave Dykstra - after issue fixed by the
developers
2020-10-13 Acknowledgement from the EGI SVG to the reporter
2020-10--- Discussion of issue and on what action to take
2020-10-20 Advisory sent to sites and additionally VO Security Contacts
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 3] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
This advisory is subject to the Creative commons license
https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/
Software Vulnerability Group must be credited.
-----------------------------
Note that the SVG issue handling procedure is currently under review, to take
account of the increasing inhomogeneity of the EGI infrastructure and the
services in the EOSC-hub catalogue.
On behalf of the EGI SVG,