Hello All, A medium level CVE-2023-1786 was discovered for cloud-init exposing optional vendor-data or user-data which could be provided to some clouds at instance launch time. If exposed, sensitive values in vendor-data or user-data would live in /run/cloud-init/instance-data.json which is a world-readable file.
The cloud-init release 23.1.2 resolves CVE-2023-1786 by redacting any potentially nested sensitive config keys that previously could have been exposed in /run/cloud-init/instance-data.json replacing sensitive content with "redacted for non-root user". The Ubuntu security team has published fixes for this to 16.04(ESM), 18.04, 20.04, 22.04, 22.10 and 23.04. For details see: - https://github.com/canonical/cloud-init/releases/tag/23.1.2 - https://bugs.launchpad.net/cloud-init/+bug/2013967 - https://lists.ubuntu.com/archives/ubuntu-security-announce/2023-April/007310.html - https://ubuntu.com/security/notices/USN-6042-1 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1786 Many thanks, upstream cloud-init devs
-- Mailing list: https://launchpad.net/~cloud-init Post to : [email protected] Unsubscribe : https://launchpad.net/~cloud-init More help : https://help.launchpad.net/ListHelp
