From EGIWiki
Revision as of 12:35, 21 October 2020 by Cornwall (talk | contribs) (Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' [TLP:WHITE] Singularity - file overwrite vulnerability [EGI-SVG-CVE-2020-15229] Date: 2020-10-20 Updated:...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


Title:       EGI SVG 'ADVISORY' [TLP:WHITE] Singularity - file overwrite vulnerability [EGI-SVG-CVE-2020-15229]  

Date:        2020-10-20

Affected software and risk

Package : Singularity
CVE ID  : CVE-2020-15229

A path traversal and file overwrite vulnerability with "unsquashfs" has been announced, see [R 1].
This may allow files to be overwritten in various scenarios, but it is not clear how likely it is for the vulnerability to be exploitable in our environment. 

Actions required/recommended

Sites and users with their own Singularity installations are advised to update Singularity as soon as it is convenient. 

If anyone becomes aware of any situation where this vulnerability may have a significant impact on the EGI infrastructure, then please inform EGI SVG.

Component installation information

See [R 1] 


No mitigating action has been identified, sites and users are advised to update in due course.

Affected software details

Singularity versions 3.1.1 - 3.6.3 are affected

This issue is fixed in version 3.6.4

More information

Sites are reminded that they are recommended to enable unprivileged user namespaces on their worker nodes [R 2]

If it is found that this vulnerability looks exploitable in the EGI environment, then the EGI SVG will re-examine the issue and assess the risk. It is possible then that sites may be asked to update urgently.

Users who build their own containers should be careful what they include especially what they include from the web and avoid doing things as 'root' as much as possible.  


** WHITE information - Unlimited distribution 
  - see for distribution restrictions***    


Minor updates may be made without re-distribution to the sites


Comments or questions should be sent to svg-rat  at

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 3]  

Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. 


[R 1]

[R 2]

[R 3]


SVG was alerted to this vulnerability by Dave Dykstra 

Yyyy-mm-dd  [EGI-SVG-2020-CVE-2020-15229] 

2020-10-13 SVG alerted to this issue by Dave Dykstra - after issue fixed by the developers
2020-10-13 Acknowledgement from the EGI SVG to the reporter
2020-10--- Discussion issue and on what action to take 
2020-10-20 Advisory sent to sites and additionally VO Security Contacts


This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 3]  in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. 

This advisory is subject to the Creative commons license and the EGI Software Vulnerability Group must be credited. 

Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.

On behalf of the EGI SVG,