| 2020-03-03 22:15:22 |
Chad Smith |
bug |
|
|
added bug |
| 2020-03-03 22:19:22 |
Chad Smith |
information type |
Public |
Private Security |
|
| 2020-03-04 17:44:36 |
Chad Smith |
summary |
instance-data.json could contain security sensitive content |
Write redacted metadata to /run/cloud-init/instance-data.json |
|
| 2020-03-04 17:55:44 |
Chad Smith |
description |
Cloud-init persists world-readable instance metadata in /run/cloud-init/instance-data.json and a read-only root /run/cloud-init/instance-data-sensitive.json.
Any sensitive metadata provided by a cloud platform's metadata services should be redacted from instance-data.json by cloud-init if that DataSource class defines a list of sensitive metadata key names as a a class attribute "sensitive_metadata_keys".
Cloud-init matches redacts the correct sensitive keys if discovered when crawling metadata, but it then writes the unredacted information to the world readable /run/cloud-init/instance-data.json
instead of the root read-only /run/cloud-init/instance-data-sensitive.json.
See the related code at:
https://github.com/canonical/cloud-init/blob/master/cloudinit/sources/__init__.py#L318-L323
This can affect any Datasource if either of the following apply:
1. It is not DataSourceEc2 and the platform metadata contains a sensitive 'security-credentials' key
2. It is a private subclassed DataSource that is not present in cloud-init upstream but has set the class attribute sensitive_metadata_keys to be something other that sensitive_metadata_keys = ['security_credentials']
The end result is the sensitive keys they thought they were redacting, end up being published to the world-readable /run/cloud/instance-data.json.
In practice, the only cloud we are aware of that provides a 'security-credentials' key in metadata is Ec2 on VMs that are created with an IAM profile. This security exposure on Ec2 only is also negated because the utility that crawls ec2 metadata service also happens to skip 'security-credntials' when crawling metadata so cloud-init doesn't see that key anyway.
See this code:
https://github.com/canonical/cloud-init/blob/master/cloudinit/ec2_utils.py#L87-L89 |
Cloud-init persists world-readable instance metadata in /run/cloud-init/instance-data.json and a read-only root /run/cloud-init/instance-data-sensitive.json.
Cloud-init has a facility whereby clouds could defined a via sensitive_metadata_keys list as a class attribute in the platform's supported DataSource subclass.
No clouds are currently exposed to this feature yet.
When cloud-init persists instannce-data.json it should write the redacted content to the world-readable /run/cloud-init/instance-data.json and unredacted content to root read-only /run/cloud-init/instance-data-sensitive.json.
It currently writes the wrong content to each file. No clouds currently are exposed to this bug. |
|
| 2020-03-04 20:37:10 |
Chad Smith |
information type |
Private Security |
Public |
|
| 2020-03-04 21:52:48 |
Chad Smith |
description |
Cloud-init persists world-readable instance metadata in /run/cloud-init/instance-data.json and a read-only root /run/cloud-init/instance-data-sensitive.json.
Cloud-init has a facility whereby clouds could defined a via sensitive_metadata_keys list as a class attribute in the platform's supported DataSource subclass.
No clouds are currently exposed to this feature yet.
When cloud-init persists instannce-data.json it should write the redacted content to the world-readable /run/cloud-init/instance-data.json and unredacted content to root read-only /run/cloud-init/instance-data-sensitive.json.
It currently writes the wrong content to each file. No clouds currently are exposed to this bug. |
Cloud-init persists world-readable instance metadata in /run/cloud-init/instance-data.json and a read-only root /run/cloud-init/instance-data-sensitive.json.
Cloud-init has a facility whereby clouds could defined a via sensitive_metadata_keys list as a class attribute in the platform's supported DataSource subclass.
No clouds are currently using this metadata redacting yet.
When cloud-init persists instannce-data.json it should write the redacted content to the world-readable /run/cloud-init/instance-data.json and unredacted content to root read-only /run/cloud-init/instance-data-sensitive.json.
It currently writes the wrong content to each file. No clouds currently are exposed to this bug. |
|
| 2020-03-04 21:53:02 |
Chad Smith |
description |
Cloud-init persists world-readable instance metadata in /run/cloud-init/instance-data.json and a read-only root /run/cloud-init/instance-data-sensitive.json.
Cloud-init has a facility whereby clouds could defined a via sensitive_metadata_keys list as a class attribute in the platform's supported DataSource subclass.
No clouds are currently using this metadata redacting yet.
When cloud-init persists instannce-data.json it should write the redacted content to the world-readable /run/cloud-init/instance-data.json and unredacted content to root read-only /run/cloud-init/instance-data-sensitive.json.
It currently writes the wrong content to each file. No clouds currently are exposed to this bug. |
Cloud-init persists world-readable instance metadata in /run/cloud-init/instance-data.json and a read-only root /run/cloud-init/instance-data-sensitive.json.
Cloud-init has a facility whereby clouds could defined a via sensitive_metadata_keys list as a class attribute in the platform's supported DataSource subclass.
No clouds are currently redacting metadata using this mechanism currently.
When cloud-init persists instannce-data.json it should write the redacted content to the world-readable /run/cloud-init/instance-data.json and unredacted content to root read-only /run/cloud-init/instance-data-sensitive.json.
It currently writes the wrong content to each file. No clouds currently are exposed to this bug. |
|
| 2020-03-04 21:53:12 |
Chad Smith |
description |
Cloud-init persists world-readable instance metadata in /run/cloud-init/instance-data.json and a read-only root /run/cloud-init/instance-data-sensitive.json.
Cloud-init has a facility whereby clouds could defined a via sensitive_metadata_keys list as a class attribute in the platform's supported DataSource subclass.
No clouds are currently redacting metadata using this mechanism currently.
When cloud-init persists instannce-data.json it should write the redacted content to the world-readable /run/cloud-init/instance-data.json and unredacted content to root read-only /run/cloud-init/instance-data-sensitive.json.
It currently writes the wrong content to each file. No clouds currently are exposed to this bug. |
Cloud-init persists world-readable instance metadata in /run/cloud-init/instance-data.json and a read-only root /run/cloud-init/instance-data-sensitive.json.
Cloud-init has a facility whereby clouds could defined a via sensitive_metadata_keys list as a class attribute in the platform's supported DataSource subclass.
No clouds are redacting metadata using this mechanism currently.
When cloud-init persists instannce-data.json it should write the redacted content to the world-readable /run/cloud-init/instance-data.json and unredacted content to root read-only /run/cloud-init/instance-data-sensitive.json.
It currently writes the wrong content to each file. No clouds currently are exposed to this bug. |
|
| 2020-03-05 17:13:58 |
Chad Smith |
cloud-init: status |
New |
Fix Committed |
|
| 2020-03-06 20:47:32 |
Chad Smith |
cloud-init: status |
Fix Committed |
Fix Released |
|
| 2023-05-12 04:01:45 |
James Falcon |
bug watch added |
|
https://github.com/canonical/cloud-init/issues/3616 |
|
