SVG:Advisory-SVG-CVE-2020-15229

From EGIWiki
Revision as of 12:35, 21 October 2020 by Cornwall (talk | contribs) (Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' [TLP:WHITE] Singularity - file overwrite vulnerability [EGI-SVG-CVE-2020-15229] Date: 2020-10-20 Updated:...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-CVE-2020-15229


Title:       EGI SVG 'ADVISORY' [TLP:WHITE] Singularity - file overwrite vulnerability [EGI-SVG-CVE-2020-15229]  

Date:        2020-10-20
Updated:     

Affected software and risk
==========================

Package : Singularity
CVE ID  : CVE-2020-15229

A path traversal and file overwrite vulnerability with "unsquashfs" has been announced, see [R 1].
This may allow files to be overwritten in various scenarios, but it is not clear how likely it is for the vulnerability to be exploitable in our environment. 


Actions required/recommended
============================

Sites and users with their own Singularity installations are advised to update Singularity as soon as it is convenient. 

If anyone becomes aware of any situation where this vulnerability may have a significant impact on the EGI infrastructure, then please inform EGI SVG.

Component installation information
==================================

See [R 1] 

Mitigation
==========

No mitigating action has been identified, sites and users are advised to update in due course.


Affected software details
=========================

Singularity versions 3.1.1 - 3.6.3 are affected

This issue is fixed in version 3.6.4

More information
================

Sites are reminded that they are recommended to enable unprivileged user namespaces on their worker nodes [R 2]

If it is found that this vulnerability looks exploitable in the EGI environment, then the EGI SVG will re-examine the issue and assess the risk. It is possible then that sites may be asked to update urgently.

Users who build their own containers should be careful what they include especially what they include from the web and avoid doing things as 'root' as much as possible.  

TLP and URL
===========

** WHITE information - Unlimited distribution 
  - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions***    

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2020-15229    

Minor updates may be made without re-distribution to the sites

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 3]  

Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. 


References
==========

[R 1] https://github.com/hpcng/singularity/security/advisories/GHSA-7gcp-w6ww-2xv9

[R 2] https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2020-16648

[R 3] https://documents.egi.eu/public/ShowDocument?docid=3145

Credit
======

SVG was alerted to this vulnerability by Dave Dykstra 


Timeline  
========
Yyyy-mm-dd  [EGI-SVG-2020-CVE-2020-15229] 

2020-10-13 SVG alerted to this issue by Dave Dykstra - after issue fixed by the developers
2020-10-13 Acknowledgement from the EGI SVG to the reporter
2020-10--- Discussion issue and on what action to take 
2020-10-20 Advisory sent to sites and additionally VO Security Contacts


Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 3]  in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. 

-----------------------------
This advisory is subject to the Creative commons license https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. 
-----------------------------

Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.

On behalf of the EGI SVG,