Response to CVE-2023-30549

By Staff
Impact
There is no impact to systems that are not vulnerable to CVE-2022-1184. On systems that are vulnerable to CVE-2022-1184, a specially crafted extfs container image, or extfs overlay partition within a SIF file, may trigger a denial of service when run with SingularityCE / SingularityPRO in set-uid mode.
Analysis
Sylabs’ opinion is that CVE-2023-30549 is a duplicate of CVE-2022-1184, and does not describe a security vulnerability in SingularityCE / SingularityPRO. The security vulnerability identified in the advisory is in the kernel, and must be patched there. It is also relevant to non-Singularity workflows, such as automatic or user-initiated mounts of USB drives under desktop environments.
- CVE-2022-0185 – Privilege escalation via user namespaces.
- CVE-2023-0386 – Privilege escalation via user namespaces, FUSE, and overlays.
- CVE-2019-20794 – FUSE Denial of service with PID namespace (marked ‘Will not fix’ for RHEL).
- Singularity’s execution control list, that limits container execution to specifically signed containers, cannot be enforced.
- Encrypted SIF containers can no longer be utilized.
- Inability to use supplementary groups –
https://github.com/apptainer/apptainer/issues/868 - Inability to use host filesystem ACLs –
https://github.com/apptainer/apptainer/issues/1239
Summary
Sylabs does not consider CVE-2023-30549 to be a vulnerability in Singularity. Systems should be patched regularly to ensure they are not susceptible to vulnerabilities such as CVE-2022-1184.
Join Our Mailing List
Recent Posts
Related Posts
Upgrade CentOS 7 to Alma 8 While Keeping SingularityCE Updated
Overview With CentOS 7 reaching end of life on June 30th, 2024 and CentOS 8 already discontinued in favor of CentOS Stream, users of open source SingularityCE might find themselves in a situation where a migration to another open source operating system is necessary....
Introducing CDI Support to SingularityCE 4.0
With the ever increasing adoption of AI techniques in scientific research, as well as growing use of accelerators for traditional numerical workloads, easy access to GPUs and other devices in HPC environments is critical.The 4.0 release of the SingularityCE container...
Transforming Alzheimer’s Research with Singularity Containers: A Milestone in Scientific Reproducibility
Addressing The Grand Challenges of Our Time Through Singularity Container TechnologyAt Sylabs, our mission and vision aren't just statements on a wall, they're an ethos we embody daily. We're committed to facilitating cutting-edge research that seeks to address...