[email protected] Cc: Bcc: Subject: Re: Bug#1108403: cloud-init: CVE-2024-6174 Reply-To: In-Reply-To: <[email protected]>
On Fri, Jun 27, 2025 at 09:14:17PM +0200, Salvatore Bonaccorso wrote: > The following vulnerability was published for cloud-init. > > CVE-2024-6174[0]: > | When a non-x86 platform is detected, cloud-init grants root access > | to a hardcoded url with a local IP address. To prevent this, cloud- > | init default configurations disable platform enumeration. My inclination is to pull in the latest upstream patch release, 25.1.4 (we're currently at 25.1.1 in trixie). However, the fix for CVE-2024-6174 does introduce a functionality change that may be disruptive in some less common environments (notably non-amd64 OpenStack). There are potential workarounds, but they're not necessarily trivial for users who are operating a cloud environment that they don't control. The primary workaround is to use a datadrive for VM metadata, rather than a network service, but that's a choice made by the cloud operator. Thomas, as OpenStack maintainer, do you have any insight into just how disruptive this change is likely to be? Still researching this one... noah
