Hide Forgot
In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords. Upstream patch: https://github.com/canonical/cloud-init/pull/189 https://github.com/canonical/cloud-init/commit/42788bf24a1a0a5421a2d00a7f59b59e38ba1a14 References: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795
Created cloud-init tracking bugs for this issue: Affects: epel-6 [bug 1798730] Affects: fedora-all [bug 1798729]
As cc_set_passwords module could be used to set ssh password authentication as well, the Attack Vector is set to Network. Confidentiality, Integrity and Availability set to High because the direct impact of the flaw is the control of the user in the instance configured by cloud-init.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3898 https://access.redhat.com/errata/RHSA-2020:3898
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8632
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4650 https://access.redhat.com/errata/RHSA-2020:4650