CVE-2022-2084
Published: 29 June 2022
Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.
From the Ubuntu Security Team
Mike Stroyan discovered that cloud-init could log password hashes when reporting schema failures. An attacker with access to these logs could potentially use this to gain user credentials.
Notes
Author | Note |
---|---|
sbeattie | introduced in 22.2, therefore xenial and trusty are not affected |
Mitigation
The Ubuntu update to address this attempted to redact information contained in /var/log/cloud-init.log. Additional logs may require the removal of sensitive information; such information would be preceded by the following text: Invalid cloud-config provided:
Priority
Status
Package | Release | Status |
---|---|---|
cloud-init Launchpad, Ubuntu, Debian |
bionic |
Released
(22.2-0ubuntu1~18.04.3)
|
focal |
Released
(22.2-0ubuntu1~20.04.3)
|
|
impish |
Released
(22.2-0ubuntu1~21.10.3)
|
|
jammy |
Released
(22.2-0ubuntu1~22.04.3)
|
|
kinetic |
Released
(22.2-64-g1fcd55d6-0ubuntu1~22.10.1)
|
|
upstream |
Released
(22.3)
|
|
Patches: upstream: https://github.com/canonical/cloud-init/commit/4d467b14363d800b2185b89790d57871f11ea88c |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.5 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |