OSG-SEC-2018-03-05 Vulnerability in Singularity
Dear OSG Security Contacts,
There is a new vulnerability in Singularity 2.3.2 that allows code inside the container to escape.
WHAT IS THE VULNERABILITY:
An open file descriptor to the image directory is passed through to the process running inside the container. With that file descriptor it is easy to escape the container: a program can fchdir() to the file descriptor and run another shell. Then "cd .." out of the container can see, e.g., the host system’s /tmp with other grid users' X.509 proxies, which will be readable if they are owned by the same glidein/pilot.
WHAT YOU SHOULD DO:
Update to the latest version singularity-2.4.2  as soon as possible. Note that there are some command line incompatibilities with version 2.3.2, mostly in the commands related to managing images.
-  http://opensciencegrid.github.io/docs/worker-node/install-singularity/
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team