CVE-2018-10896
published 2018-08-01CVE-2018-10896: The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some…
high7.1CVSS 3.1
AVLACLPRLUINSUCHIHAN
The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | cloud-init | — | — |
| canonical | cloud-init | >= 0.6.2 < 18.4 | 18.4 |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_cloud-init_21.3-3_on_cbl_mariner_1.0 | — | — |