ID CVE-2019-0816
Summary A security feature bypass exists in Azure SSH Keypairs, due to a change in the provisioning logic for some Linux images that use cloud-init, aka 'Azure SSH Keypairs Security Feature Bypass Vulnerability'.
References
Vulnerable Configurations
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:microsoft:azure:-:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:azure:-:*:*:*:*:*:*:*
CVSS
Base: 1.9 (as of 10-04-2019 - 18:11)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
assigner via4 cve@mitre.org
cvss-vector via4 AV:L/AC:M/Au:N/C:N/I:P/A:N
redhat via4
advisories
bugzilla
id 1680165
title CVE-2019-0816 cloud-init: extra ssh keys added to authorized_keys on the Azure platform
oval
AND
  • comment cloud-init is earlier than 0:18.2-1.el7_6.2
    oval oval:com.redhat.rhsa:tst:20190597005
  • comment cloud-init is signed with Red Hat redhatrelease2 key
    oval oval:com.redhat.rhsa:tst:20190597006
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhba:tst:20150364001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhba:tst:20150364002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhba:tst:20150364003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20150364004
rhsa
id RHSA-2019:0597
released 2019-03-18
severity Moderate
title RHSA-2019:0597: cloud-init security update (Moderate)
rpms cloud-init-0:18.2-1.el7_6.2
refmap via4
confirm https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0816
vulnerable_product via4 cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Last major update 10-04-2019 - 18:11
Published 09-04-2019 - 03:29
Back to Top