CVE-2023-1786: sensitive data exposure in cloud-init logs
First published: Wed Apr 26 2023(Updated: )
Canonical cloud-init could allow a local authenticated attacker to obtain sensitive information, caused by the storage of sensitive data in the log files. By gaining access to the log files, an attacker could exploit this vulnerability to obtain hashed passwords information, and use this information to launch further attacks against the affected system.
Credit: security@ubuntu.com security@ubuntu.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM QRadar SIEM | <=7.5 - 7.5.0 UP8 IF01 | |
| Canonical cloud-init | <23.1.2 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =20.04 | |
| Canonical Ubuntu Linux | =22.04 | |
| Canonical Ubuntu Linux | =22.10 | |
| Canonical Ubuntu Linux | =23.04 | |
| Fedoraproject Fedora | =38 | |
| ubuntu/cloud-init | <23.1.2-0ubuntu0~18.04.1 | 23.1.2-0ubuntu0~18.04.1 |
| ubuntu/cloud-init | <23.1.2-0ubuntu0~20.04.1 | 23.1.2-0ubuntu0~20.04.1 |
| ubuntu/cloud-init | <23.1.2-0ubuntu0~22.04.1 | 23.1.2-0ubuntu0~22.04.1 |
| ubuntu/cloud-init | <23.1.2-0ubuntu0~22.10.1 | 23.1.2-0ubuntu0~22.10.1 |
| ubuntu/cloud-init | <23.1.2-0ubuntu0~23.04.1 | 23.1.2-0ubuntu0~23.04.1 |
| ubuntu/cloud-init | <23.2<23.1.2 | 23.2 23.1.2 |
| ubuntu/cloud-init | <21.1-19- | 21.1-19- |
| debian/cloud-init | <=20.4.1-2+deb11u1<=22.4.2-1+deb12u1 | 24.2-1 |
Remedy
The Ubuntu update to address this attempted to redact information in /var/log/cloud-init.log and /run/cloud-init/instance-data.json. Additional logs may require the removal of sensitive information.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.launchpad.net/cloud-init/+bug/2013967
- https://github.com/canonical/cloud-init/commit/a378b7e4f47375458651c0972e7cd813f6fe0a6b
- https://ubuntu.com/security/notices/USN-6042-1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ATBJSXPL2IOAD2LDQRKWPLIC7QXS44GZ/
- https://launchpad.net/bugs/cve/CVE-2023-1786
- https://security-tracker.debian.org/tracker/CVE-2023-1786
- https://exchange.xforce.ibmcloud.com/vulnerabilities/253877
- https://www.ibm.com/support/pages/node/7150684 (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2023-1786
- https://nvd.nist.gov/vuln/detail/CVE-2023-1786
- https://ubuntu.com/security/CVE-2023-1786
Frequently Asked Questions
What is CVE-2023-1786?
CVE-2023-1786 is a vulnerability in cloud-init before version 23.1.2 that could expose sensitive data in logs.
How can an attacker exploit CVE-2023-1786?
An attacker could use exposed sensitive information in cloud-init logs to find hashed passwords and potentially escalate their privilege.
What is the severity of CVE-2023-1786?
CVE-2023-1786 has a severity rating of 5.5 (medium).
Which software versions are affected by CVE-2023-1786?
Cloud-init versions before 23.1.2 are affected by CVE-2023-1786.
How do I fix CVE-2023-1786?
To fix CVE-2023-1786, update cloud-init to version 23.1.2 or higher.
- collector/launchpad-cve
- source/Launchpad
- agent/first-publish-date
- agent/type
- agent/author
- agent/remedy
- agent/weakness
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/ibm-support
- source/IBM
- agent/references
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/severity
- agent/event
- agent/tags
- collector/usn-cve
- source/Ubuntu
- package-manager/debian
- vendor/ibm
- canonical/ibm qradar siem
- version/ibm qradar siem/7.5 - 7.5.0 up8 if01
- vendor/canonical
- canonical/canonical cloud-init
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/20.04
- version/canonical ubuntu linux/22.04
- version/canonical ubuntu linux/22.10
- version/canonical ubuntu linux/23.04
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/38
- package-manager/ubuntu