English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.856342
Category:openSUSE Local Security Checks
Title:openSUSE Security Advisory (openSUSE-SU-2024:0244-1)
Summary:The remote host is missing an update for the 'apptainer' package(s) announced via the openSUSE-SU-2024:0244-1 advisory.
Description:Summary:
The remote host is missing an update for the 'apptainer' package(s) announced via the openSUSE-SU-2024:0244-1 advisory.

Vulnerability Insight:
This update for apptainer fixes the following issues:

- Make sure, digest values handled by the Go library
github.com/opencontainers/go-digest and used throughout the
Go-implemented containers ecosystem are always validated. This
prevents attackers from triggering unexpected authenticated
registry accesses. (CVE-2024-3727, boo#1224114).


- Updated apptainer to version 1.3.0
* FUSE mounts are now supported in setuid mode, enabling full
functionality even when kernel filesystem mounts are insecure due to
unprivileged users having write access to raw filesystems in
containers. When allow `setuid-mount extfs = no` (the default) in
apptainer.conf, then the fuse2fs image driver will be used to mount
ext3 images in setuid mode instead of the kernel driver (ext3 images
are primarily used for the `--overlay` feature), restoring
functionality that was removed by default in Apptainer 1.1.8 because
of the security risk.
The allow `setuid-mount squashfs` configuration option in
`apptainer.conf` now has a new default called `iflimited` which allows
kernel squashfs mounts only if there is at least one `limit container`
option set or if Execution Control Lists are activated in ecl.toml.
If kernel squashfs mounts are are not allowed, then the squashfuse
image driver will be used instead.
`iflimited` is the default because if one of those limits are used
the system administrator ensures that unprivileged users do not have
write access to the containers, but on the other hand using FUSE
would enable a user to theoretically bypass the limits via `ptrace()`
because the FUSE process runs as that user.
The `fuse-overlayfs` image driver will also now be tried in setuid
mode if the kernel overlayfs driver does not work (for example if
one of the layers is a FUSE filesystem). In addition, if `allow
setuid-mount encrypted = no` then the unprivileged gocryptfs format
will be used for encrypting SIF files instead of the kernel
device-mapper. If a SIF file was encrypted using the gocryptfs
format, it can now be mounted in setuid mode in addition to
non-setuid mode.
* Change the default in user namespace mode to use either kernel
overlayfs or fuse-overlayfs instead of the underlay feature for the
purpose of adding bind mount points. That was already the default in
setuid mode, this change makes it consistent. The underlay feature
can still be used with the `--underlay` option, but it is deprecated
because the implementation is complicated and measurements have
shown that the performance of underlay is similar to overlayfs and
fuse-overlayfs.
For now the underlay feature can be made the default again with a
new `preferred` value on the `enable underlay` configuration option.
Also the `--underlay` option can be used in setuid mode or as the
root user, although it was ignored previously.
* Prefer again to use kernel overlayfs over fuse-overlayfs when a
... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'apptainer' package(s) on openSUSE Leap 15.5.

Solution:
Please install the updated package(s).

CVSS Score:
7.6

CVSS Vector:
AV:N/AC:H/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2023-30549
https://security.gentoo.org/glsa/202311-13
https://access.redhat.com/security/cve/cve-2022-1184
https://github.com/apptainer/apptainer/commit/5a4964f5ba9c8d89a0e353b97f51fd607670a9f7
https://github.com/apptainer/apptainer/releases/tag/v1.1.8
https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg
https://github.com/torvalds/linux/commit/2220eaf90992c11d888fe771055d4de3303
https://github.com/torvalds/linux/commit/4f04351888a83e595571de672e0a4a8b74f
https://lwn.net/Articles/932136/
https://lwn.net/Articles/932137/
https://security-tracker.debian.org/tracker/CVE-2022-1184
https://sylabs.io/2023/04/response-to-cve-2023-30549/
https://ubuntu.com/security/CVE-2022-1184
https://www.suse.com/security/cve/CVE-2022-1184.html
Common Vulnerability Exposure (CVE) ID: CVE-2023-38496
https://github.com/apptainer/apptainer/pull/1523
https://github.com/apptainer/apptainer/pull/1578
https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx
Common Vulnerability Exposure (CVE) ID: CVE-2024-3727
RHBZ#2274767
https://bugzilla.redhat.com/show_bug.cgi?id=2274767
https://access.redhat.com/security/cve/CVE-2024-3727
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HEYS34N55G7NOQZKNEXZKQVNDGEICCD/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6B37TXOKTKDBE2V26X2NSP7JKNMZOFVP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLND3YDQQRWVRIUPL2G5UKXP5L3VSBBT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTOMYERG5ND4QFDHC4ZSGCED3T3ESRSC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FBZQ2ZRMFEUQ35235B2HWPSXGDCBZHFV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QFXMF3VVKIZN7ZMB7PKZCSWV6MOMTGMQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFVSMR7TNLO2KPWJSW4CF64C2QMQXCIN/
CopyrightCopyright (C) 2024 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.