*** This bug is a security vulnerability *** Public security bug reported:
Hello, a coworker pasted this error message: https://pastebin.canonical.com/p/pnNx7Rsfyr/ which appears to include a hex-encoded version of user-data supplied to a cloud guest that failed to launch: juju list-machines Machine State DNS Inst id Series AZ Message 23 down 10.xx.xx.xx xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx bionic nova failed to start machine 23 (cannot run instance: failed to run a server with nova.RunServerOpts{Name:"juju-b11c42-ubuntu-23", FlavorId:"xxxxxxxx-xxxxxx-xxxxxxx-xxxxxxxxxxxx", ImageId:"xxxxxxxx-xxxxxx-xxxxxxx-xxxxxxxxxxxx", UserData:[]uint8{0x1f, 0x8b, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, ... The UserData field is quite long and looks like it can contain plaintext passwords: - https://cloudinit.readthedocs.io/en/latest/topics/modules.html#set-passwords - https://cloudinit.readthedocs.io/en/latest/topics/modules.html#apt-configure - https://cloudinit.readthedocs.io/en/latest/topics/modules.html#lxd - https://cloudinit.readthedocs.io/en/latest/topics/modules.html#redhat-subscription or access tokens: - https://cloudinit.readthedocs.io/en/latest/topics/modules.html#redhat-subscription - https://cloudinit.readthedocs.io/en/latest/topics/modules.html#landscape Is this error message only available to people who could read the supplied user data through another mechanism? Can the secrets be elided from the user data before it's printed to logs or output for user consumption? Thanks ** Affects: juju-core (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881225 Title: do these error messages leak secrets? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/juju-core/+bug/1881225/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
