https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2019-11328&feed=atom&action=historySVG:Advisory-SVG-CVE-2019-11328 - Revision history2024-03-28T16:59:42ZRevision history for this page on the wikiMediaWiki 1.37.1https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2019-11328&diff=110937&oldid=previmported>Cornwall at 10:23, 25 June 20192019-06-25T10:23:25Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<tr class="diff-title" lang="en">
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 11:23, 25 June 2019</td>
</tr><tr><td colspan="2" class="diff-notice" lang="en"><div class="mw-diff-empty">(No difference)</div>
</td></tr></table>imported>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2019-11328&diff=102035&oldid=prevCornwall at 10:23, 25 June 20192019-06-25T10:23:25Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 11:23, 25 June 2019</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l40">Line 40:</td>
<td colspan="2" class="diff-lineno">Line 40:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Severity: High</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Severity: High</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The OSG Security Team wants to inform you that a high severity vulnerability has been announced for privileged installations of all Singularity 3.x.x versions. A new version with a fix to the vulnerability is being prepared by OSG. The current primary Singularity version supported by OSG, version 2.6.1, is not vulnerable. OSG does however support a 3.x.x version in the osg-upcoming yum repository and some sites have installed it.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The OSG Security Team wants to inform you that a high severity vulnerability has been announced for </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>privileged installations of all Singularity 3.x.x versions. A new version with a fix to the vulnerability </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>is being prepared by OSG. The current primary Singularity version supported by OSG, version 2.6.1, is not vulnerable. </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>OSG does however support a 3.x.x version in the osg-upcoming yum repository and some sites have installed it.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>We will send a follow up announcement when a new version is available, but meanwhile there is a mitigation, below.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>We will send a follow up announcement when a new version is available, but meanwhile there is a mitigation, below.</div></td></tr>
</table>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2019-11328&diff=102027&oldid=prevCornwall: Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' [TLP:WHITE] HIGH risk **UPDATE** Singularity Vulnerability announced by the Singularity team [EGI-SVG-CVE-20..."2019-06-20T10:01:18Z<p>Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' [TLP:WHITE] HIGH risk **UPDATE** Singularity Vulnerability announced by the Singularity team [EGI-SVG-CVE-20..."</p>
<p><b>New page</b></p><div>{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' [TLP:WHITE] HIGH risk **UPDATE** Singularity Vulnerability announced by <br />
the Singularity team [EGI-SVG-CVE-2019-11328] <br />
<br />
Date: 2019-05-16<br />
Updated: 2019-05-22, 2019-06-20<br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
HIGH risk vulnerability concerning Singularity<br />
<br />
Package : Singularity <br />
<br />
See OSG team information and [R 5]<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites running singularity should take action as described below, in the OSG information, if they have not <br />
done so already. <br />
<br />
**UPDATE 2019-06-20**<br />
<br />
Singularity 3.2.1 is now available in EPEL [R 6], and updating to this is an alternative to the instructions <br />
in the OSG team information below. <br />
<br />
OSG team information<br />
====================<br />
<br />
Subject: OSG-SEC-2019-05-14 Vulnerability in Singularity <br />
<br />
Dear OSG users,<br />
<br />
Impacted: Singularity 3.x.x, all versions<br />
Severity: High<br />
<br />
The OSG Security Team wants to inform you that a high severity vulnerability has been announced for privileged installations of all Singularity 3.x.x versions. A new version with a fix to the vulnerability is being prepared by OSG. The current primary Singularity version supported by OSG, version 2.6.1, is not vulnerable. OSG does however support a 3.x.x version in the osg-upcoming yum repository and some sites have installed it.<br />
<br />
We will send a follow up announcement when a new version is available, but meanwhile there is a mitigation, below.<br />
<br />
WHAT YOU SHOULD DO:<br />
If you are using privileged Singularity 3.x.x on a RHEL7-based distribution, while waiting for the new version<br />
either downgrade to version 2.6.1 or enable unprivileged Singularity [1] and set <br />
<br />
allow setuid = no<br />
<br />
in singularity.conf. <br />
<br />
If you are using Singularity 3.x.x on a RHEL6-based distribution, downgrade to version 2.6.1.<br />
<br />
HOW IT WORKS:<br />
A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due <br />
to insecure permissions allowing a user to edit files within /run/singularity/instances/sing/<user>/<instance>.<br />
The manipulation of those files can change the behavior of the starter-suid program when instances are joined <br />
resulting in potential privilege escalation on the host [2] [3].<br />
<br />
REFERENCES:<br />
<br />
[1] https://opensciencegrid.org/docs/worker-node/install-singularity/#enabling-unprivileged-singularity<br />
[2] https://github.com/sylabs/singularity/releases/tag/v3.2.0<br />
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11328<br />
<br />
<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2019-11328 <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 4] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
[R 5] https://seclists.org/oss-sec/2019/q2/112<br />
<br />
[R 6] https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/s/<br />
<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by David Dykstra from FNAL / OSG.<br />
<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-CVE-2019-11328] <br />
<br />
2019-05-07 SVG alerted to this issue by David Dykstra<br />
2019-05-07 Acknowledgement from the EGI SVG to the reporter<br />
2019-05-15 OSG sent announcement of the vulnerability with actions to take.<br />
2019-05-16 SVG informed sites as 'AMBER', simply providing the OSG information. <br />
2019-05-22 Update to inform fixed version of Singularity in EPEL testing<br />
2019-06-20 Update as fixed version of Singularity in EPEL, changed to [TLP:WHITE]<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 4] in the context <br />
of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it <br />
to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
Others may re-use this information provided they:-<br />
<br />
1) Respect the provided TLP classification<br />
<br />
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing <br />
inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
</pre></div>Cornwall