Cloud Init Canonical Cloud Init

Do you want an email whenever new security vulnerabilities are reported in Canonical Cloud Init?

By the Year

In 2023 there have been 0 vulnerabilities in Canonical Cloud Init . Cloud Init did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2023 0 0.00
2022 0 0.00
2021 0 0.00
2020 2 5.50
2019 0 0.00
2018 1 7.10

It may take a day or so for new Cloud Init vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Canonical Cloud Init Security Vulnerabilities

cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords

CVE-2020-8631 5.5 - Medium - February 05, 2020

cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.

Use of Insufficiently Random Values

In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value

CVE-2020-8632 5.5 - Medium - February 05, 2020

In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords.

Weak Password Requirements

The default cloud-init configuration

CVE-2018-10896 7.1 - High - August 01, 2018

The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks.

Use of Hard-coded Cryptographic Key

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Canonical Cloud Init or by Canonical? Click the Watch button to subscribe.

Canonical
Vendor

subscribe