Headline
CVE-2022-2084: Remove schema errors from log (#1551) · canonical/cloud-init@4d467b1
Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.
@@ -198,6 +198,7 @@ def validate_cloudconfig_schema(
schema: dict = None,
strict: bool = False,
strict_metaschema: bool = False,
log_details: bool = True,
):
"""Validate provided config meets the schema definition.
@@ -210,6 +211,9 @@ def validate_cloudconfig_schema(
logging warnings.
@param strict_metaschema: Boolean, when True validates schema using strict
metaschema definition at runtime (currently unused)
@param log_details: Boolean, when True logs details of validation errors.
If there are concerns about logging sensitive userdata, this should
be set to False.
@raises: SchemaValidationError when provided config does not validate
against the provided schema.
@@ -234,12 +238,17 @@ def validate_cloudconfig_schema(
errors += ((path, error.message),)
if errors:
if strict:
# This could output/log sensitive data
raise SchemaValidationError(errors)
else:
if log_details:
messages = ["{0}: {1}".format(k, msg) for k, msg in errors]
LOG.warning(
"Invalid cloud-config provided:\n%s", "\n".join(messages)
details = “\n” + "\n".join(messages)
else:
details = (
"Please run ‘sudo cloud-init schema --system’ to "
“see the schema errors.”
)
LOG.warning("Invalid cloud-config provided: %s", details)
def annotated_cloudconfig_file(
Related news
Ubuntu Security Notice 5496-1 - Mike Stroyan discovered that cloud-init could log password hashes when reporting schema failures. An attacker with access to these logs could potentially use this to gain user credentials.