cloud-init team mailing list archive
-
cloud-init team
-
Mailing list archive
-
Message #00444
[SECURITY] Release of cloud-init 23.1.2
Hello All,
A medium level CVE-2023-1786 was discovered for cloud-init exposing
optional vendor-data or user-data which could be provided to some clouds at
instance launch time. If exposed, sensitive values in vendor-data or
user-data would live in /run/cloud-init/instance-data.json which is a
world-readable file.
The cloud-init release 23.1.2 resolves CVE-2023-1786 by redacting any
potentially nested sensitive config keys that previously could have been
exposed in /run/cloud-init/instance-data.json replacing sensitive content
with "redacted for non-root user".
The Ubuntu security team has published fixes for this to 16.04(ESM), 18.04,
20.04, 22.04, 22.10 and 23.04.
For details see:
- https://github.com/canonical/cloud-init/releases/tag/23.1.2
- https://bugs.launchpad.net/cloud-init/+bug/2013967
-
https://lists.ubuntu.com/archives/ubuntu-security-announce/2023-April/007310.html
- https://ubuntu.com/security/notices/USN-6042-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1786
Many thanks,
upstream cloud-init devs