Bug 867302 (CVE-2012-6639)

Summary: VUL-0: CVE-2012-6639: cloud-init: might access random "instance-data.local.domain" host
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Robert Schweikert <rjschwei>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: meissner, security-team, smash_bz, vuntz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/96853/
Whiteboard: maint:running:56555:moderate CVSSv2:RedHat:CVE-2012-6639:7.1:(AV:N/AC:H/Au:S/C:C/I:C/A:C)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2014-03-07 07:20:05 UTC
via oss-sec

Date: Thu, 06 Mar 2014 15:22:06 +0100
From: Florian Weimer <fweimer@redhat.com>
Subject: [oss-security] CVE request: cloud-init DNS resolution fix

Prior to version 0.7.0, cloud-init could send requests for EC2 instance data to untrusted systems:


This could allow someone who has control over a suitable domain name to obtain root rights on an affected system.

This was reported and fixed silently in 2012, so it would need a 2012 CVE name.

(This issue is not specific to cloud-init, there seem to be some wget scripts out there which exhibit the same behavior, but it's probably some custom stuff that's not distributed anywhere, so no CVE is needed for that.)

Florian Weimer / Red Hat Product Security Team

Comment 1 Swamp Workflow Management 2014-03-07 07:22:15 UTC
The SWAMPID for this issue is 56555.
This issue was rated as moderate.
Please submit fixed packages until 2014-03-21.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 SMASH SMASH 2014-03-07 07:25:13 UTC
Affected packages:

SLE-11-SP3-PRODUCTS: cloud-init
SLE-11-SP3: cloud-init
SLE-11-SP2-PRODUCTS: cloud-init
SLE-11-SP2: cloud-init
Comment 3 Marcus Meissner 2014-03-07 07:27:19 UTC
revising last comment ... 

is_maintained cloud-init

Is cloud-init not used anymore?
Comment 4 Vincent Untz 2014-03-07 08:13:29 UTC
It's maintained by Robert, not by the SUSE Cloud team.
Comment 10 Marcus Meissner 2014-03-07 14:46:26 UTC
As we do not ship this anymore, and PubCloud uses 0.7.x, we can consider this fixed.