Detections
Analytics
GLSA-202210-19 : Apptainer: Lack of Digital Signature Hash Verification
critical Nessus Plugin ID 166719
Language:
Description
The remote host is affected by the vulnerability described in GLSA-202210-19 (Apptainer: Lack of Digital Signature Hash Verification)- syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
(CVE-2022-39237)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
All Apptainer users should upgrade to the latest version:# emerge --sync # emerge --ask --oneshot --verbose >=app-containers/apptainer-1.1.2
See Also
Plugin Details
Severity: Critical
ID: 166719
File Name: gentoo_GLSA-202210-19.nasl
Version: 1.3
Type: local
Family: Gentoo Local Security Checks
Published: 10/31/2022
Updated: 10/6/2023
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2022-39237
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:gentoo:linux:apptainer, cpe:/o:gentoo:linux
Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list
Exploit Ease: No known exploits are available
Patch Publication Date: 10/31/2022
Vulnerability Publication Date: 10/6/2022
Reference Information
CVE: CVE-2022-39237