CVE-2022-2084
Published: 29 June 2022
Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.
From the Ubuntu Security Team
Mike Stroyan discovered that cloud-init could log password hashes when reporting schema failures. An attacker with access to these logs could potentially use this to gain user credentials.
Notes
| Author | Note |
|---|---|
| sbeattie | introduced in 22.2, therefore xenial and trusty are not affected |
Mitigation
The Ubuntu update to address this attempted to redact information contained in /var/log/cloud-init.log. Additional logs may require the removal of sensitive information; such information would be preceded by the following text: Invalid cloud-config provided:
Priority
Status
| Package | Release | Status |
|---|---|---|
|
cloud-init Launchpad, Ubuntu, Debian |
bionic |
Released
(22.2-0ubuntu1~18.04.3)
|
| focal |
Released
(22.2-0ubuntu1~20.04.3)
|
|
| impish |
Released
(22.2-0ubuntu1~21.10.3)
|
|
| jammy |
Released
(22.2-0ubuntu1~22.04.3)
|
|
| kinetic |
Released
(22.2-64-g1fcd55d6-0ubuntu1~22.10.1)
|
|
| upstream |
Released
(22.3)
|
|
|
Patches: upstream: https://github.com/canonical/cloud-init/commit/4d467b14363d800b2185b89790d57871f11ea88c |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.5 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |