Bugzilla – Bug 1184758
VUL-0: CVE-2021-3429: cloud-init: randomly generated passwords logged in clear-text to world-readable file
Last modified: 2024-05-16 11:40:21 UTC
rh#1940967 The "Set Passwords" module allows a user to specify that cloud-init create a random password for a particular user. In order to allow people to access systems using these randomly generated passwords (without needing another access vector in order to know the passwords), cloud-init emits them to the serial console. In order to have log messages emitted to the console readily available within the system also, it writes that same content to /var/log/cloud-init-output.log. As a result, those passwords are written to that file, which is world-readable. References: https://bugzilla.redhat.com/show_bug.cgi?id=1940967 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3429 https://access.redhat.com/security/cve/CVE-2021-3429
SUSE-RU-2021:2401-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1183939,1184758 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Module for Public Cloud 15 (src): cloud-init-20.2-5.55.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-RU-2021:1080-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1183939,1184758 CVE References: JIRA References: Sources used: openSUSE Leap 15.2 (src): cloud-init-20.2-lp152.5.24.1
# maintenance_jira_update_notice SUSE-RU-2021:2887-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1183939,1184758 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src): cloud-init-20.2-8.48.1 SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src): cloud-init-20.2-8.48.1 SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src): cloud-init-20.2-8.48.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Released
277654
SUSE-SU-2023:2164-1: An update that solves two vulnerabilities and has three fixes can now be installed. Category: security (moderate) Bug References: 1181283, 1183939, 1184085, 1184758, 1210277 CVE References: CVE-2021-3429, CVE-2023-1786 Sources used: Public Cloud Module 12 (src): cloud-init-20.2-37.57.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-FU-2023:3283-1: An update that solves two vulnerabilities and has one feature fix can now be installed. Category: feature (moderate) Bug References: 1184758, 1210273, 1212879 CVE References: CVE-2021-3429, CVE-2023-1786 Sources used: openSUSE Leap 15.4 (src): cloud-init-23.1-150100.8.66.1 openSUSE Leap 15.5 (src): cloud-init-23.1-150100.8.66.1 Public Cloud Module 15-SP1 (src): cloud-init-23.1-150100.8.66.1 Public Cloud Module 15-SP2 (src): cloud-init-23.1-150100.8.66.1 Public Cloud Module 15-SP3 (src): cloud-init-23.1-150100.8.66.1 Public Cloud Module 15-SP4 (src): cloud-init-23.1-150100.8.66.1 Public Cloud Module 15-SP5 (src): cloud-init-23.1-150100.8.66.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.