Oracle Linux 7 : cloud-init (ELSA-2019-0597)

The remote Oracle Linux 7 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2019-0597 advisory. 18.2-1.0.1 - add modified version of enable-ec2utils-to-stop-retrying-to-get-ec2-metadata.patch for 18.2: 1. Enable ec2utils.py having a way to stop retrying to...

RHEL 7 : cloud-init (RHSA-2019:0597)

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2019:0597 advisory. The cloud-init packages provide a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to...

cloud-init: extra ssh keys added to authorized_keys on the Azure platform

A security feature bypass exists in Azure SSH Keypairs, due to a change in the provisioning logic for some Linux images that use cloud-init, aka 'Azure SSH Keypairs Security Feature Bypass Vulnerability'...

Moderate: Red Hat Security Advisory: cloud-init security update

An update for cloud-init is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from...

CVE-2017-7510

It is reported that the RHV 4 REST API exposes data used in cloud-init which can include the root password used when creating a system...

cloud-init security update

18.2-1.0.1 - add modified version of enable-ec2utils-to-stop-retrying-to-get-ec2-metadata.patch for 18.2: 1. Enable ec2utils.py having a way to stop retrying to get ec2 metadata 2. Apply stop retrying to get ec2 metadata to helper/openstack.py MetadataReader Resolves: Oracle-Bug:41660 Bugzilla...

Azure SSH Keypairs Security Feature Bypass Vulnerability

A security feature bypass exists in Azure SSH Keypairs, due to a change in the provisioning logic for some Linux images that use cloud-init. Extraneous Microsoft service public keys can be unexpectedly added to the VM authorized keys file in the limited scenarios described in 4491476. For more...

Extraneous SSH Public Keys added to Authorized Keys file on Linux VM

Extraneous SSH Public Keys added to Authorized Keys file on Linux VM Summary In addition to letting users provide their own SSH keypairs for authentication, the Microsoft Azure platform relies on SSH keypairs to enable some features that are added to the virtual machine VM at deployment time. We...

Design/Logic Flaw

The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "sshdeletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to...

CVE-2018-10896

The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "sshdeletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to...

CVE-2018-10896

The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "sshdeletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to...

CVE-2018-10896

The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "sshdeletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to...

CVE-2018-10896

CVE-2018-10896 is confirmed in multiple Nessus/OpenVAS entries tied to cloud-init. The issue arises from the default cloud-init configuration (ssh_deletekeys: 0) introduced in cloud-init 0.6.2 and newer, which disables deletion of SSH host keys on new instances. This can allow cloned golden-maste...

CVE-2018-10896

The default cloud-init configuration included "sshdeletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct...

PT-2018-10167 · Canonical +3 · Cloud-Init +3

Name of the Vulnerable Software and Affected Versions: cloud-init versions 0.6.2 and newer Description: The default cloud-init configuration in affected versions includes "ssh deletekeys: 0", which disables the deletion of ssh host keys. This could lead to instances created by cloning a golden...

4: ovirt-engine exposes cloud-init root password via REST API

It is reported that the RHV 4 REST API exposes data used in cloud-init which can include the root password used when creating a system...

ubuntu-image Unauthorized Operation Vulnerability

ubuntu-image is an image package used in Ubuntu systems. A security vulnerability exists in ubuntu-image. A local attacker can exploit this vulnerability to gain access to the cloud-init and snapd directories...

Fedora 26 : cloud-init (2017-83671c0fa0)

This update fixes several issues with systemd service ordering and network configuration. It also backports a fix for a security issue in which instances run in EC2 write IAM instance profile credentials to disk. To work around the security issue without updating cloud-init, wait at least six hou...

CVE-2017-10600

ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. When the resulting image is booted, a local attacker with the same uid as the image creator has unintended access to cloud-init and snapd directories...

Design/Logic Flaw

ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. When the resulting image is booted, a local attacker with the same uid as the image creator has unintended access to cloud-init and snapd directories...