Packages
- cloud-init - initialization and customization tool for cloud instances
Details
Harry Sintonen discovered that the hotplugd socket in cloud-init was world
writable. An attacker could possibly use this issue to send hotplug-hook
commands. (CVE-2024-11584)
It was discovered that cloud-init granted root access to a hardcoded URL
with a local IP address when a non-x86 platform is detected. An attacker
could possibly impersonate an OpenStack endpoint and provide root
configuration data. (CVE-2024-6174)
Harry Sintonen discovered that the hotplugd socket in cloud-init was world
writable. An attacker could possibly use this issue to send hotplug-hook
commands. (CVE-2024-11584)
It was discovered that cloud-init granted root access to a hardcoded URL
with a local IP address when a non-x86 platform is detected. An attacker
could possibly impersonate an OpenStack endpoint and provide root
configuration data. (CVE-2024-6174)
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 25.04 plucky | cloud-init – 25.1.4-0ubuntu0~25.04.1 | ||
| cloud-init-base – 25.1.4-0ubuntu0~25.04.1 | |||
| 24.04 noble | cloud-init – 25.1.4-0ubuntu0~24.04.1 | ||
| 22.04 jammy | cloud-init – 25.1.4-0ubuntu0~22.04.1 | ||
| 20.04 focal | cloud-init – 24.4.1-0ubuntu0~20.04.3+esm1 | ||
| 18.04 bionic | cloud-init – 23.1.2-0ubuntu0~18.04.1+esm1 | ||
| 16.04 xenial | cloud-init – 21.1-19-gbad84ad4-0ubuntu1~16.04.4+esm2 | ||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.