OSG-SEC-2018-07-05 Singularity Vulnerabilities
Dear OSG Security Contacts,
High-severity vulnerabilities have been publicly reported concerning installations of singularity that support overlayfs, which is the default on EL7. If overlay is available, a malicious user could exploit this vulnerability to escalate privileges. OSG security considers this a Critical vulnerability and the impact is high for our infrastructure. A new version is available in the osg-testing repository and is planned to be released to the osg repository on Friday, July 6, after more extensive testing. A workaround not requiring an upgrade is outlined below.
EL7 based systems with singularity versions 2.5.1 and earlier with a default configuration are impacted. EL6 is not affected.
WHAT ARE THE VULNERABILITIES:
A vulnerability with the singularity mount command enables read access to protected files. In addition, a race condition allows read access to protected files in the root filesystem with other singularity commands. These can lead to privilege escalation.
For more details see the singularity-2.5.2 release announcement . Jobs running inside of singularity containers are not able to exploit these vulnerabilities.
WHAT YOU SHOULD DO:
On EL7 systems, one of the following actions should be applied IMMEDIATELY:
1. Configure the following workaround: set
enable overlay = no in /etc/singularity/singularity.conf. No OSG VO using singularity in production currently requires this feature. (This may already be disabled because of a workaround for a previous announced vulnerability , which was later fixed.)
2. Begin testing the latest singularity version 2.5.2-1.osg34 with the following command
yum update --enablerepo=osg-testing singularity-runtime and if it works for your workflows, install it on all nodes.
Report any problems seen to [email protected] If no problems are seen with your use cases you may upgrade before the release to the osg yum repository.
-  https://github.com/singularityware/singularity/releases/tag/2.5.2
-  OSG-SEC-2018-04-30
-  https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12021
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team