CVE-2023-5536

Note

Ubuntu Server installed with subiquity before 23.04 is affected
Ubuntu Server installed with cloud-init before 24.04 is affected
Ubuntu Desktop is not affected
a LXD feature became a vulnerability in Ubuntu Server when it was enabled as a default cloud-init and subiquity are used for tracking, these packages merely implemented Server defaults removing this LXD feature with a security patch would break existing workflows
Mitigation must be performed manually.
Remove users from lxd group and configure multi-user LXD mode.
https://discourse.ubuntu.com/t/easy-multi-user-lxd-setup/26215/4

Package	Release	Status
cloud-init Launchpad, Ubuntu, Debian	bionic	Ignored (mitigation must be performed manually)
	focal	Ignored (mitigation must be performed manually)
	jammy	Ignored (mitigation must be performed manually)
	lunar	Ignored (end of life, was ignored [mitigation must be performed manually])
	mantic	Ignored (mitigation must be performed manually)
	trusty	Ignored (end of standard support)
	upstream	Not vulnerable (cloud-init 24.04+ not affected)
	xenial	Ignored (mitigation must be performed manually)
subiquity Launchpad, Ubuntu, Debian	bionic	Ignored (mitigation must be performed manually)
	focal	Ignored (mitigation must be performed manually)
	jammy	Ignored (mitigation must be performed manually)
	lunar	Does not exist
	mantic	Does not exist
	trusty	Ignored (end of standard support)
	upstream	Not vulnerable (subiquity 23.04+ not affected)
	xenial	Ignored (end of standard support)

Parameter	Value
Base score	5.0
Attack vector	Local
Attack complexity	High
Privileges required	High
User interaction	Required
Scope	Changed
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N

CVE-2023-5536

Notes

Mitigation

Priority

Cvss 3 Severity Score

Status

Severity score breakdown

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Further reading