syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the     `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are     cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of     the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the     hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
    (CVE-2022-39237)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2023:0018-1 advisory.

  - net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the     header canonicalization cache via HTTP/2 requests. (CVE-2021-44716)

  - Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or     unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-     descriptor exhaustion. (CVE-2021-44717)

  - syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the     `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are     cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of     the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the     hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
    (CVE-2022-39237)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202210-19 (Apptainer: Lack of Digital Signature Hash Verification)

  - syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the     `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are     cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of     the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the     hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
    (CVE-2022-39237)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
224924	Linux Distros Unpatched Vulnerability : CVE-2022-39237	Nessus	Misc.	critical
170057	openSUSE 15 Security Update : apptainer (openSUSE-SU-2023:0018-1)	Nessus	SuSE Local Security Checks	critical
166719	GLSA-202210-19 : Apptainer: Lack of Digital Signature Hash Verification	Nessus	Gentoo Local Security Checks	critical

Detections

Analytics

CVE-2022-39237

critical

Tenable Plugins

critical

critical

critical