Login Sign Up

CVE-2023-30549

7.1 HIGH
Denial of Service

📋 TL;DR

This CVE describes a use-after-free vulnerability in the ext4 filesystem that affects Apptainer container platform. It allows attackers to potentially escalate privileges or cause denial of service by exploiting the flaw through vulnerable Apptainer installations. Affected systems include Apptainer versions before 1.1.0 and apptainer-suid before 1.1.8 on specific older Linux distributions.

💻 Affected Systems

Products:
  • Apptainer
  • apptainer-suid
Versions: Apptainer < 1.1.0, apptainer-suid < 1.1.8
Operating Systems: Red Hat Enterprise Linux 7, Debian 10 buster (without linux-5.10), Ubuntu 18.04 bionic, Ubuntu 20.04 focal
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists when using setuid-root mode with extfs filesystem mounting. Systems with unpatched kernel ext4 vulnerabilities are also required.

📦 What is this software?

Apptainer by Lfprojects

View all CVEs affecting Apptainer →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Singularity by Sylabs

View all CVEs affecting Singularity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privilege escalation to root access on the host system, allowing complete system compromise.

🟠

Likely Case

Denial of service through kernel crashes or system instability.

🟢

If Mitigated

Limited impact with proper workarounds, potentially reduced functionality for container operations.

🌐 Internet-Facing: MEDIUM - Requires local access or ability to upload malicious containers to internet-facing systems.
🏢 Internal Only: HIGH - Internal users with container execution privileges could exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and ability to execute containers. The underlying kernel vulnerability (CVE-2022-1184) must also be present and unpatched.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apptainer 1.1.8

Vendor Advisory: https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg

Restart Required: No

Instructions:

1. Update Apptainer to version 1.1.8 or later. 2. For apptainer-suid, ensure version 1.1.8 or later is installed. 3. Verify the patch disables extfs mounting in setuid-root mode by default.

🔧 Temporary Workarounds

Disable setuid mode

linux

Prevent Apptainer from running with setuid privileges

echo 'allow setuid = no' >> /etc/apptainer/apptainer.conf

Remove apptainer-suid package

linux

Uninstall the setuid component for versions 1.1.0-1.1.7

apt remove apptainer-suid
yum remove apptainer-suid

Configure container restrictions

linux

Limit container execution and disable extfs mounting

echo 'allow container extfs = no' >> /etc/apptainer/apptainer.conf
Configure limit containers options in apptainer.conf

🧯 If You Can't Patch

  • Apply all available workarounds: disable setuid mode, remove apptainer-suid, and configure container restrictions
  • Update underlying OS kernel to patch CVE-2022-1184 if not already patched

🔍 How to Verify

Check if Vulnerable:

Check Apptainer version and apptainer-suid package version. Verify if allow setuid is enabled in apptainer.conf.

Check Version:

apptainer version && dpkg -l | grep apptainer-suid || rpm -qa | grep apptainer-suid

Verify Fix Applied:

Confirm Apptainer version is 1.1.8+ and apptainer-suid is 1.1.8+. Verify extfs mounting is disabled in setuid mode.

📡 Detection & Monitoring

Log Indicators:

  • Failed privilege escalation attempts
  • Kernel panic or crash logs related to ext4
  • Unusual container execution patterns with extfs filesystems

Network Indicators:

  • N/A - local exploitation only

SIEM Query:

Search for: 'apptainer' AND ('setuid' OR 'extfs') AND (error OR failed OR crash)

📊 Metadata

CVE ID: CVE-2023-30549
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-416
Published: April 25, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30549, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)