2082274 – (CVE-2022-1706) CVE-2022-1706 ignition: configs are accessible from unprivileged containers in VMs running on VMware products

Bug 2082274 (CVE-2022-1706) - CVE-2022-1706 ignition: configs are accessible from unprivileged containers in VMs running on VMware products

Summary: CVE-2022-1706 ignition: configs are accessible from unprivileged containers i...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-1706
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2082422 2082423 2082424 2083008
Blocks:	2082273 2085366
TreeView+	depends on / blocked

Reported:	2022-05-05 17:48 UTC by Todd Cullum
Modified:	2022-12-07 01:33 UTC (History)
CC List:	24 users (show)
Fixed In Version:	ignition 2.14.0
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in Ignition, where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets.
Clone Of:
Environment:
Last Closed:	2022-12-07 01:33:10 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5068	0	None	None	None	2022-08-10 10:09:30 UTC
Red Hat Product Errata	RHSA-2022:8126	0	None	None	None	2022-11-15 10:21:48 UTC

Description Todd Cullum 2022-05-05 17:48:47 UTC

ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config
contains secrets.  We don't recommend putting secrets in the Ignition
config, but presumably some users do it anyway.

References:
https://github.com/coreos/ignition/issues/1300
https://github.com/coreos/ignition/pull/1350

Comment 1 TEJ RATHI 2022-05-06 06:38:07 UTC

Created ignition tracking bugs for this issue:

Affects: epel-7 [bug 2082423]
Affects: fedora-all [bug 2082422]

Comment 4 TEJ RATHI 2022-05-13 07:15:36 UTC

CVE-2022-1706 assigned.

Comment 7 errata-xmlrpc 2022-08-10 10:09:27 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5068 https://access.redhat.com/errata/RHSA-2022:5068

Comment 10 errata-xmlrpc 2022-11-15 10:21:46 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8126 https://access.redhat.com/errata/RHSA-2022:8126

Comment 12 Product Security DevOps Team 2022-12-07 01:33:07 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1706

Note You need to log in before you can comment on or make changes to this bug.

andrew.jeddeloh
bgilbert
bmontgom
dornelas
dustymabe
eparis
jburrell
jligon
jokerman
jonathan
mcascell
me
miabbott
mnguyen
mrussell
nstielau
rhcos-triage
skunkerk
sponnaga
tmhoang
trathi
travier
vkumar
walters