Response to CVE-2023-30549
The Apptainer project has recently published CVE-2023-30549. The associated
The security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions. The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended. The security and integrity of “critical software” — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) — is a particular concern. Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.
You don’t have to look further than the SolarWinds hack or the security flaw in the ubiquitous Log4j framework to understand why this has taken on an increased urgency. Of course, verifying the authenticity and integrity of any software currently running on a system using X.509 certificates is a straightforward process. But digital signatures in container images that haven’t been used in many years introduce management challenges since digital signatures used to sign software and/or data containers may expire before a container’s usable lifetime. And there are many areas where long-term signing of containers is an important consideration.
The Apptainer project has recently published CVE-2023-30549. The associated
SingularityCE 3.11 was released on 10th February, and is available for download from the GitHub release page. This version brings a host of new features, including: OCI Runtime Mode – with the new experimental ‘–oci’ mode, users can run containers from a native OCI...
Sylabs, the global leader in providing tools and services for performance-intensive container technology, today announced that it has released SingularityCE 3.11, taking a big step towards full OCI compatibility in the future 4.0 release. The newest update adds a...