OSG-SEC-2019-05-14 Vulnerability in Singularity
Dear OSG users,
Impacted: Singularity 3.x.x, all versions Severity: High
The OSG Security Team wants to inform you that a high severity vulnerability has been announced for privileged installations of all Singularity 3.x.x versions. A new version with a fix to the vulnerability is being prepared by OSG. The current primary Singularity version supported by OSG, version 2.6.1, is not vulnerable. OSG does however support a 3.x.x version in the osg-upcoming yum repository and some sites have installed it.
We will send a follow up announcement when a new version is available, but meanwhile there is a mitigation, below.
WHAT YOU SHOULD DO:
If you are using privileged Singularity 3.x.x on a RHEL7-based distribution, while waiting for the new version either downgrade to version 2.6.1 or enable unprivileged Singularity  and set
allow setuid = no
If you are using Singularity 3.x.x on a RHEL6-based distribution, downgrade to version 2.6.1.
HOW IT WORKS:
A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing/
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team