CVE-2022-2084 in cloud-init
Summary
by MITRE • 04/20/2023
Sensitive data could be exposed in world readable logs of cloud-init before version 22.3 when schema failures are reported. This leak could include hashed passwords.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/10/2025
The vulnerability identified as CVE-2022-2084 represents a critical security flaw in the cloud-init configuration management tool that affects systems running versions prior to 22.3. Cloud-init serves as a fundamental component in cloud environments, responsible for initializing cloud instances by processing configuration data from various sources including metadata services, user data, and cloud provider APIs. When cloud-init encounters schema validation failures during the processing of configuration data, it generates detailed log entries that contain diagnostic information about the encountered issues. The flaw arises from the improper handling of sensitive information within these log files, specifically when the tool fails to properly sanitize or redact sensitive data such as hashed passwords from the configuration data that triggered the validation errors.
This vulnerability operates at the intersection of configuration management and logging security practices, where the system's diagnostic mechanisms inadvertently expose sensitive information through world-readable log files. The technical implementation flaw occurs when cloud-init's error reporting mechanism includes raw or partially processed configuration data in its log output without proper sanitization of sensitive fields. This behavior creates a situation where any user with read access to the system's log directories can potentially extract hashed password values and other sensitive configuration elements that were part of the failed schema validation process. The vulnerability is particularly concerning in cloud environments where multiple users or processes may have access to shared log storage systems, and where proper file permissions may not be consistently enforced across all system components.
The operational impact of CVE-2022-2084 extends beyond simple information disclosure, as the exposure of hashed passwords could potentially enable attackers to perform offline password cracking attacks or facilitate credential reuse attacks against other systems. When cloud instances are provisioned with cloud-init configurations that contain sensitive authentication data, the presence of this data in world-readable logs creates an attack surface that could be exploited by malicious actors with access to the system's file system or log aggregation services. The vulnerability is particularly dangerous in multi-tenant cloud environments where log files from different customers might be stored in shared locations, or where automated log collection tools gather data from multiple systems without proper access controls. This issue also represents a violation of the principle of least privilege, as the logging mechanism inadvertently grants broader access to sensitive configuration information than intended.
Mitigation strategies for CVE-2022-2084 should focus on both immediate remediation and long-term security hardening of cloud-init configurations. The primary and most effective mitigation involves upgrading affected systems to cloud-init version 22.3 or later, which includes proper sanitization of sensitive data in log outputs. Organizations should also implement strict file permission controls on log directories, ensuring that log files are not world-readable and that appropriate access controls are enforced using unix permissions or equivalent mechanisms. Security teams should establish log rotation and retention policies that minimize the exposure window for sensitive information and implement centralized log management solutions that can filter or redact sensitive data before storage. Additionally, system administrators should regularly audit log file permissions and access controls, particularly in cloud environments where automated provisioning might create unexpected access patterns. This vulnerability aligns with CWE-200, which addresses improper exposure of sensitive information, and could be categorized under ATT&CK technique T1562.001 for "Disable or Modify Tools" and T1078 for "Valid Accounts" if exploited to gain unauthorized access through exposed credentials.