CVE-2022-2084

Publication date 29 June 2022

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.

From the Ubuntu Security Team

Mike Stroyan discovered that cloud-init could log password hashes when reporting schema failures. An attacker with access to these logs could potentially use this to gain user credentials.

Read the notes from the security team

Mitigation

The Ubuntu update to address this attempted to redact information contained in /var/log/cloud-init.log. Additional logs may require the removal of sensitive information; such information would be preceded by the following text: Invalid cloud-config provided:

Status

Show unmaintained releases

Package	Ubuntu Release	Status
cloud-init	22.10 kinetic	Fixed 22.2-64-g1fcd55d6-0ubuntu1~22.10.1
	22.04 LTS jammy	Fixed 22.2-0ubuntu1~22.04.3
	21.10 impish	Fixed 22.2-0ubuntu1~21.10.3
	20.04 LTS focal	Fixed 22.2-0ubuntu1~20.04.3
	18.04 LTS bionic	Fixed 22.2-0ubuntu1~18.04.3
	16.04 LTS xenial	Not affected

Notes

sbeattie

introduced in 22.2, therefore xenial and trusty are not affected

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
cloud-init	Upstream: 4d467b1

Severity score breakdown

Parameter	Value
Base score	5.5 · Medium
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N