CVE-2023-30549

Name of the Vulnerable Software and Affected Versions Apptainer versions prior to 1.1.0 Apptainer versions 1.1.0 through 1.1.7 with apptainer-suid versions prior to 1.1.8

Description Apptainer is an open source container platform for Linux that contains an ext4 use-after-free flaw. This flaw can be exploited for denial of service and potentially for privilege escalation. The issue affects older operating systems where the relevant patch has not been applied, including Red Hat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10 package is installed), Ubuntu 18.04 bionic, and Ubuntu 20.04 focal. Apptainer 1.1.8 includes a patch that disables mounting of extfs filesystem types in setuid-root mode by default.

Recommendations For Apptainer versions prior to 1.1.0, update to version 1.1.0 or later. For Apptainer versions 1.1.0 through 1.1.7 with apptainer-suid, update apptainer-suid to version 1.1.8 or later. As a temporary workaround, consider setting allow setuid = no in apptainer.conf, which requires having unprivileged user namespaces enabled. Alternatively, use the limit containers options in apptainer.conf/singularity.conf to limit sif files to trusted users, groups, and/or paths, and set allow container extfs = no to disallow mounting of extfs overlay files.