CVE-2022-1706

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Ignition versions prior to 2.14.0

Description A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets. The highest threat from this vulnerability is to data confidentiality.

Recommendations For Ignition versions prior to 2.14.0, consider upgrading to Ignition 2.14.0 or later, which adds a new systemd service, ignition-delete-config.service, that deletes the Ignition config from supported hypervisors during the first boot. As a temporary workaround, avoid storing secrets in Ignition configs. If you have external tooling that requires the Ignition config to remain accessible in VM metadata after provisioning, and your Ignition config does not include sensitive information, you can prevent Ignition 2.14.0 and later from deleting the config by masking ignition-delete-config.service.

Fix

Incorrect Authorization

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-200CWE-921

Related Identifiers

ALSA-2022:8126

ALT-PU-2022-2057

ALT-PU-2022-2559

BDU:2022-04103

CVE-2022-1706

GHSA-HJ57-J5CW-2MWP

GHSA-MJQC-5C9X-XFCC

GO-2022-0451

OPENSUSE-SU-2022_2866-1

RHSA-2022:5068

RHSA-2022:8126

RHSA-2022_8126

RLSA-2022:8126

SUSE-SU-2022:2349-1

SUSE-SU-2022:2349-2

SUSE-SU-2022:2350-1

SUSE-SU-2022:2866-1

SUSE-SU-2022:2866-2

SUSE-SU-2022_2866-1

Affected Products

Alt Linux

Almalinux

Ignition

Red Hat

Rocky Linux

Suse

CVE-2022-1706

Weakness Enumeration

Related Identifiers

Affected Products

References · 52