Headline
Gentoo Linux Security Advisory 202311-13
Gentoo Linux Security Advisory 202311-13 - A privilege escalation vulnerability has been discovered in Apptainer. Versions greater than or equal to 1.1.8 are affected.
Gentoo Linux Security Advisory GLSA 202311-13
https://security.gentoo.org/
Severity: High
Title: Apptainer: Privilege Escalation
Date: November 25, 2023
Bugs: #905091
ID: 202311-13
Synopsis
A privilege escalation vulnerability has been discoverd in Apptainer.
Background
Apptainer is the container system for secure high-performance computing.
Affected packages
Package Vulnerable Unaffected
app-containers/apptainer < 1.1.8 >= 1.1.8
Description
A vulnerability has been discovered in Apptainer. Please review the CVE
identifier referenced below for details.
Impact
There is an ext4 use-after-free flaw that is exploitable in vulnerable
versions.
Workaround
There is no known workaround at this time.
Resolution
All Apptainer users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=app-containers/apptainer-1.1.8”
References
[ 1 ] CVE-2023-30549
https://nvd.nist.gov/vuln/detail/CVE-2023-30549
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202311-13
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
Apptainer is an open source container platform for Linux. There is an ext4 use-after-free flaw that is exploitable through versions of Apptainer < 1.1.0, installations that include apptainer-suid < 1.1.8, and all versions of Singularity in their default configurations on older operating systems where that CVE has not been patched. That includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04 focal. Use-after-free flaws in the kernel can be used to attack the kernel for denial of service and potentially for privilege escalation. Apptainer 1.1.8 includes a patch that by default disables mounting of extfs filesystem types in setuid-root mode, while continuing to allow mounting of extfs filesystems in non-setuid "rootless" mode using fuse2fs. Some workarounds are possible. Either do not install apptainer-suid (for versions 1.1.0 through 1.1.7) or set `allow setuid = no` in apptainer.conf (or singularity.conf ...
### Impact There is an ext4 use-after-free flaw described in CVE-2022-1184 that is exploitable through versions of Apptainer < 1.1.0, installations that include apptainer-suid < 1.1.8, and all versions of Singularity in their default configurations on older operating systems where that CVE has not been patched. That includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04 focal. Use-after-free flaws in the kernel can be used to attack the kernel for denial of service and potentially for privilege escalation. ### Background Historically there have been many CVEs published for extfs and a smaller number for squashfs, including serious use-after-free and buffer overrun vulnerabilities, that are scored as "Moderate" or "Low" impact only because unprivileged users were assumed to not have write access to the raw data. Because of those ratings, vendors treat such CVEs as low urgency and either delay a patch u...