It was reported [1],[2] that cloud-init could send requests for EC2 instance data to untrusted systems. This could allow someone who has control over a suitable domain name to obtain root rights on an affected system. This issue was found and silently fixed in 2012; version 0.7.0 contains the fix [3]. [1] http://seclists.org/oss-sec/2014/q1/514 [2] https://bugs.launchpad.net/cloud-init/+bug/1040200 [3] http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/revision/635 Statement: Not vulnerable. This issue did not affect the versions of cloud-init as shipped with Red Hat Enterprise Linux OpenStack Platform 3.0.
Created cloud-init tracking bugs for this issue: Affects: epel-5 [bug 1073592]
This does affect EPEL5, however, as it provides cloud-init 0.6.3. I do see now that EPEL 6 does in fact include 0.7.4.
A patch that fixes this bug was added the cloud-init in EPEL 5 back in 2012, so it's not vulnerable either. http://pkgs.fedoraproject.org/cgit/cloud-init.git/commit/?h=el5&id=8462fc9d5504c426d14baa797a759006435e078f
Perfect, thanks Sam!