CVE-2021-3917: coreos-installer < 0.10.0 writes world-readable Ignition config to installed system
(updated )
On systems installed with coreos-installer before 0.10.0, the user-provided Ignition config was written to /boot/ignition/config.ign with world-readable permissions, granting unprivileged users access to any secrets included in the config.
Default configurations of Fedora CoreOS and RHEL CoreOS do not include any unprivileged user accounts. In addition, instances launched from a cloud image, and systems provisioned with the ignition.config.url kernel argument, do not use the config.ign file and are unaffected.
References
- access.redhat.com/security/cve/CVE-2021-3917
- bugzilla.redhat.com/show_bug.cgi?id=2018478
- github.com/advisories/GHSA-862g-9h5m-m3qv
- github.com/coreos/coreos-installer
- github.com/coreos/coreos-installer/commit/2a36405339c87b16ed6c76e91ad5b76638fbdb0c
- github.com/coreos/coreos-installer/releases/tag/v0.10.0
- github.com/coreos/coreos-installer/security/advisories/GHSA-862g-9h5m-m3qv
- github.com/coreos/fedora-coreos-tracker/issues/889
- nvd.nist.gov/vuln/detail/CVE-2021-3917
Detect and mitigate CVE-2021-3917 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →