CVE-2022-2084
Published: 29 June 2022
logged schema failures can include password hashes from 20.04 installations
From the Ubuntu Security Team
Mike Stroyan discovered that cloud-init could log password hashes when reporting schema failures. An attacker with access to these logs could potentially use this to gain user credentials.
Notes
| Author | Note |
|---|---|
| sbeattie | introduced in 22.2, therefore xenial and trusty are not affected |
Mitigation
The Ubuntu update to address this attempted to redact information contained in /var/log/cloud-init.log. Additional logs may require the removal of sensitive information; such information would be preceded by the following text: Invalid cloud-config provided:
Priority
Medium
Status
| Package | Release | Status |
|---|---|---|
|
cloud-init Launchpad, Ubuntu, Debian |
bionic |
Released
(22.2-0ubuntu1~18.04.3)
|
| focal |
Released
(22.2-0ubuntu1~20.04.3)
|
|
| impish |
Released
(22.2-0ubuntu1~21.10.3)
|
|
| jammy |
Released
(22.2-0ubuntu1~22.04.3)
|
|
| kinetic |
Released
(22.2-64-g1fcd55d6-0ubuntu1~22.10.1)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
Patches: upstream: https://github.com/canonical/cloud-init/commit/4d467b14363d800b2185b89790d57871f11ea88c |
||