Greetings Singularity containerizers!
The 2.6.1 release contains fixes for a high severity security issue affecting Singularity 2.4.0 through 2.6.0 on modern distributions managed with systemd where mount points are mounted with shared mount propagation by default (CVE-2018-19295). A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability to mount arbitrary directories into the host mount namespace resulting in privilege escalation on the host.
Singularity 2.6.1 should be installed immediately, and all previous versions of Singularity should be removed. The vulnerability addressed in this release affects systems on which the
/ mount point or any exploitable mount point (eg:
/var ...) are set shared. If you are unable to upgrade immediately, you should set:
mount --make-rprivate /
/ and all mount points belonging to
/ are no longer mounted shared. This change must be repeated on every reboot.
- disables instance features for mount commands, disables instance join for start command, and disables daemon start for action commands
Great thanks to Matthias Gerstner of the SUSE security team for confidentially reporting this vulnerability to Sylabs!
As always, please report any bugs to:
If you think that you’ve discovered a security vulnerability, please email the Sylabs team at: