Bug#1108403: (no subject)
zigo@debian.org
Cc:
Bcc:
Subject: Re: Bug#1108403: cloud-init: CVE-2024-6174
Reply-To:
In-Reply-To: <[🔎] 175105165755.1422810.7191493426370949878.reportbug@eldamar.lan>
On Fri, Jun 27, 2025 at 09:14:17PM +0200, Salvatore Bonaccorso wrote:
> The following vulnerability was published for cloud-init.
>
> CVE-2024-6174[0]:
> | When a non-x86 platform is detected, cloud-init grants root access
> | to a hardcoded url with a local IP address. To prevent this, cloud-
> | init default configurations disable platform enumeration.
My inclination is to pull in the latest upstream patch release, 25.1.4
(we're currently at 25.1.1 in trixie). However, the fix for
CVE-2024-6174 does introduce a functionality change that may be
disruptive in some less common environments (notably non-amd64
OpenStack). There are potential workarounds, but they're not
necessarily trivial for users who are operating a cloud environment that
they don't control. The primary workaround is to use a datadrive for VM
metadata, rather than a network service, but that's a choice made by the
cloud operator.
Thomas, as OpenStack maintainer, do you have any insight into just how
disruptive this change is likely to be?
Still researching this one...
noah
Reply to: