CVE-2022-1706: 
Podman vulnerability analysis and mitigation

A vulnerability (CVE-2022-1706) was discovered in Ignition, affecting configurations accessible from unprivileged containers in VMs running on VMware products. The vulnerability was identified on May 17, 2022, and primarily impacts environments where the Ignition config contains secrets. Ignition is a utility used for first boot installation and system configuration, including tasks like partitioning disks, formatting partitions, and writing files (NVD).

The vulnerability has a CVSS v3.1 Base Score of 6.5 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue stems from improper authorization (CWE-863) where unprivileged containers can access Ignition configurations that may contain sensitive information. The vulnerability specifically affects systems where Ignition configs are stored in VMware's guestinfo or VirtualBox's guest properties (Red Hat Bugzilla).

The primary impact of this vulnerability is to data confidentiality, as it allows unprivileged containers to access potentially sensitive information stored in Ignition configurations. This could include secrets such as disk encryption keys or sensitive configuration data for systemd services (GitHub Issue).

The vulnerability was addressed in Ignition version 2.14.0, which introduced functionality to automatically delete userdata from VirtualBox/VMware after Ignition completes. A temporary workaround for affected versions is to avoid putting secrets in the Ignition config. The fix includes a new ignition-rmcfg multicall binary and corresponding service that runs in the real root to delete the Ignition config from the hypervisor (GitHub PR).