CVE-2021-3917

Name of the Vulnerable Software and Affected Versions coreos-installer versions prior to 0.10.0

Description A flaw was found in the coreos-installer, where it writes the Ignition config to the target system with world-readable access permissions. This flaw allows a local attacker to have read access to potentially sensitive data, posing a threat to confidentiality. On systems installed with coreos-installer before 0.10.0, the user-provided Ignition config was written to /boot/ignition/config.ign with world-readable permissions, granting unprivileged users access to any secrets included in the config.

Recommendations For coreos-installer versions prior to 0.10.0, update to coreos-installer 0.10.0 or later, which writes the Ignition config with restricted permissions. On Fedora CoreOS systems installed from version 34.20210711.3.0 (stable), 34.20210711.2.0 (testing), 34.20210711.1.1 (next) and later, no action is required as the /boot/ignition directory and its contents are removed after provisioning is complete. On other systems, manually remove /boot/ignition/config.ign by running the commands: sudo mount -o remount,rw /boot sudo rm -rf /boot/ignition As a temporary workaround, consider restricting access to the /boot/ignition/config.ign file until a patch is available.