Comment 2 for bug 1445295

Why is the guest image publicly available? It seems to me that's a big part of the issue right there. Is it necessary to make that image accessible by tenants who make use of Trove services? Or is there some (perhaps poorly or even undocumented) expectation that the image will be secured against unprivileged access?

As for the bug status, I agree that the mailing list thread makes it pointless to leave this bug embargoed. Also there was a previous Trove bug report very similar to this one about sensitive information on the instance filesystem, but we did not issue an advisory for it because tenants are not supposed to have any access to the instance filesystem at all (modulo exploiting information leaks in mysqld which might make it possible to read files I guess?).