ID |
CVE-2018-10896
|
Summary |
The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks. |
References |
|
Vulnerable Configurations |
-
cpe:2.3:a:canonical:cloud-init:0.6.2:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:0.6.2:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:0.6.3:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:0.6.3:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:0.7.0:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:0.7.1:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:0.7.1:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:0.7.2:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:0.7.2:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:0.7.3:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:0.7.3:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:0.7.4:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:0.7.4:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:0.7.5:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:0.7.5:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:0.7.6:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:0.7.6:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:0.7.7:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:0.7.7:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:0.7.8:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:0.7.8:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:0.7.9:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:0.7.9:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:17.1:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:17.1:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:17.2:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:17.2:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:18.1:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:18.1:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:18.2:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:18.2:*:*:*:*:*:*:*
-
cpe:2.3:a:canonical:cloud-init:18.3:*:*:*:*:*:*:*
cpe:2.3:a:canonical:cloud-init:18.3:*:*:*:*:*:*:*
|
CVSS |
Base: | 3.6 (as of 13-02-2023 - 04:51) |
Impact: | |
Exploitability: | |
|
CWE |
CWE-321 |
CAPEC |
|
Access |
Vector | Complexity | Authentication |
LOCAL |
LOW |
NONE |
|
Impact |
Confidentiality | Integrity | Availability |
PARTIAL |
PARTIAL |
NONE |
|
cvss-vector
via4
|
AV:L/AC:L/Au:N/C:P/I:P/A:N
|
redhat
via4
|
advisories | bugzilla | id | 1850456 | title | [RHEL8.2.1] Do not log IMDSv2 token values into cloud-init.log |
| oval | OR | comment | Red Hat Enterprise Linux must be installed | oval | oval:com.redhat.rhba:tst:20070304026 |
AND | comment | Red Hat Enterprise Linux 8 is installed | oval | oval:com.redhat.rhba:tst:20193384074 |
comment | cloud-init is earlier than 0:19.4-1.el8.7 | oval | oval:com.redhat.rhsa:tst:20203050001 |
comment | cloud-init is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhsa:tst:20190597002 |
|
|
| rhsa | id | RHSA-2020:3050 | released | 2020-07-21 | severity | Low | title | RHSA-2020:3050: cloud-init security, bug fix, and enhancement update (Low) |
|
| rpms | - cloud-init-0:19.4-1.el8.7
- cloud-init-0:18.5-12.el8_2.3
- cloud-init-0:19.4-7.el7
|
|
refmap
via4
|
|
Last major update |
13-02-2023 - 04:51 |
Published |
01-08-2018 - 17:29 |
Last modified |
13-02-2023 - 04:51 |