Candidate: CVE-2020-8631
PublicDate: 2020-02-05 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631
 https://github.com/canonical/cloud-init/pull/204
Description:
 cloud-init through 19.4 relies on Mersenne Twister for a random password,
 which makes it easier for attackers to predict passwords, because rand_str
 in cloudinit/util.py calls the random.choice function.
Ubuntu-Description:
Notes:
 ccdm94> This CVE has been patched in Xenial ESM. The patch, however, has been 
 ccdm94> added only to the updates pocket, and since cloud-init is only used 
 ccdm94> during first boot (pulling from updates), there should not be a need 
 ccdm94> to add this to the security pocket. 
Mitigation:
Bugs:
Priority: low
Discovered-by: Marc Deslauriers
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [5.5 MEDIUM]


Patches_cloud-init:
 upstream: https://github.com/canonical/cloud-init/blob/3e2f7356effc9e9cccc5ae945846279804eedc46
upstream_cloud-init: released (20.1)
precise/esm_cloud-init: DNE
trusty_cloud-init: ignored (out of standard support, was needed)
trusty/esm_cloud-init: DNE
xenial_cloud-init: ignored (end of standard support, was needed)
esm-infra/xenial_cloud-init: ignored (patched version in updates pocket)
bionic_cloud-init: released (20.2-45-g5f7825e2-0ubuntu1~18.04.1)
eoan_cloud-init: ignored (reached end-of-life)
focal_cloud-init: not-affected (20.1-10-g71af48df-0ubuntu5)
groovy_cloud-init: ignored (reached end-of-life)
hirsute_cloud-init: not-affected (21.1-19-gbad84ad4-0ubuntu2)
impish_cloud-init: not-affected (21.3-1-g6803368d-0ubuntu3)
jammy_cloud-init: not-affected (21.4-25-g039c40f9-0ubuntu1~22.04.1)
devel_cloud-init: not-affected (21.4-25-g039c40f9-0ubuntu1~22.04.1)