OSG-SEC-2018-12-12 Critical vulnerability in Singularity Update

Dear OSG Security Contacts,

Regarding the CRITICAL security vulnerability in singularity announced earlier today: exploits of the vulnerability have now been made public, so responding to the announcement is even more urgent. Please take the appropriate actions ASAP.

The exploits also revealed an immediate mitigation that can be done without upgrading; details below. We also have updated instructions below on how to upgrade; this supersedes the prior upgrade instructions.

MITIGATION

The known exploits affect setuid executables in the singularity RPM and the singularity-runtime RPM. However, it does not affect the setuid executable in singularity-runtime that is used for executing containers. The affected setuid executable in singularity-runtime allows starting background instances, which is not known to be used by batch jobs. The singularity RPM is only needed on hosts where image creation capability is needed.

Hence, for hosts such as worker nodes, one can mitigate the exploits by removing affected binaries.

The first step of the mitigation is to remove the singularity RPM if it is installed, leaving only the singularity-runtime RPM. Then, remove this executable:

rm /usr/libexec/singularity/bin/start-suid

This executable will be reinstalled after an RPM upgrade.

UPGRADE

A permanent solution is to install singularity-runtime-2.6.1, which is now available in the OSG repository:

yum install singularity-runtime

Verify that yum installs at least singularity-runtime-2.6.1.

The command recommended in the previous announcement installed the singularity RPM; we recommend avoiding installation of the singularity RPM where possible. Note the above command will also upgrade the singularity RPM if necessary.

Please contact [email protected] if you have any questions or concerns.

Sincerely, Jeny Teheran on behalf of the OSG Security Team