Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. Only action commands (`run`/`shell`/`exec`) against `library://` URIs are affected. Other commands such as `pull` / `push` respect the configured remote endpoint. The vulnerability is patched in Singularity version 3.7.4. Two possible workarounds exist: Users can only interact with the default remote endpoint, or an installation can have an execution control list configured to restrict execution to containers signed with specific secure keys.
Find out more about CVE-2021-32635 from the MITRE-CVE dictionary and NIST NVD
Login may be required to access defects or downloads.
Product Name | Status | Defect | Fixed | Downloads |
---|---|---|---|---|
Linux | ||||
Wind River Linux LTS 17 | Won't Fix | -- | -- | -- |
Wind River Linux 8 | Not Vulnerable | -- | -- | -- |
Wind River Linux 9 | Not Vulnerable | -- | -- | -- |
Wind River Linux 7 | Not Vulnerable | -- | -- | -- |
Wind River Linux LTS 21 | Won't Fix | -- | -- | -- |
Wind River Linux LTS 22 | Won't Fix | -- | -- | -- |
Wind River Linux LTS 18 | Won't Fix | -- | -- | -- |
Wind River Linux LTS 19 | Won't Fix | -- | -- | -- |
Wind River Linux CD release | Won't Fix | -- | -- | -- |
Wind River Linux 6 | Not Vulnerable | -- | -- | -- |
Wind River Linux LTS 23 | Won't Fix | -- | -- | -- |
VxWorks | ||||
VxWorks 7 | Not Vulnerable | -- | -- | -- |
VxWorks 6.9 | Not Vulnerable | -- | -- | -- |
Helix Virtualization Platform Cert Edition | ||||
Helix Virtualization Platform Cert Edition | Not Vulnerable | -- | -- | -- |
Product Name | Status | Defect | Fixed | Downloads |
---|