Tri-Adam

**Name of the Vulnerable Software and Affected Versions** syslabs/sif versions prior to 2.8.1 **Description** The issue concerns the verification of digital signatures in the Singularity Image Format (SIF) reference implementation. Specifically, the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. Users are encouraged to upgrade to a version where this issue is fixed. For users unable to upgrade, it is recommended to independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure. **Recommendations** For versions prior to 2.8.1, upgrade to version 2.8.1 or later. As a temporary workaround for users unable to upgrade, consider independently validating the hash algorithm(s) used for metadata digest(s) and signature hash to ensure they are cryptographically secure.

**Name of the Vulnerable Software and Affected Versions** Singularity versions 3.7.2 through 3.7.3 **Description** The issue is related to the incorrect use of a default URL in Singularity, causing `singularity` action commands (`run`/`shell`/`exec`) to retrieve containers from the default remote endpoint (`cloud.sylabs.io`) instead of the configured remote endpoint when using a `library://` URI. This could allow an attacker to push a malicious container to the default remote endpoint, potentially executing it on a victim's system. Only action commands against `library://` URIs are affected, while other commands like `pull` and `push` respect the configured remote endpoint. **Recommendations** For Singularity versions 3.7.2 and 3.7.3, upgrade to Singularity version 3.7.4 or later to resolve the issue. As a temporary workaround, users can only interact with the default remote endpoint. Alternatively, installations can configure an execution control list to restrict execution to containers signed with specific secure keys.

**Name of the Vulnerable Software and Affected Versions** Sylabs Singularity versions 3.0 through 3.5 **Description** The issue concerns a lack of support for an Integrity Check in Sylabs Singularity. Specifically, the sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file. **Recommendations** For versions 3.0 through 3.5, consider implementing additional integrity checks on SIF files to ensure their authenticity and integrity until a patch is available. As a temporary workaround, restrict the use of unverified SIF files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SIF versions prior to v1.2.3 **Description** The issue is related to the `github.com/satori/go.uuid` module used as a dependency in SIF, which produces predictable UUID identifiers due to insecure randomness. This could allow a remote attacker to access confidential data. The `siftool new` command and `siftool.New()` function are affected. **Recommendations** For versions prior to v1.2.3, upgrade to version >= v1.2.3 of the `github.com/satori/go.uuid` module to resolve the issue. As a temporary workaround, users passing `CreateInfo` struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue, such as the version obtained by running `go get github.com/satori/go.uuid@75cca531ea763666bc46e531da3b4c3b95f64557`.