On Tue, Jul 16, 2013 at 10:58:52AM +0100, Richard W.M. Jones wrote: > Cloud-init is reasonably careful about where it gets the data from. > By default it looks first for a config drive (a specially formatted > block device which has to be explicitly added to the VM), and then > secondly for a webserver on a link-local IPv4 address (usually > 169.254.169.254). Also, if configured, a specially formatted virtual > floppy or virtual CD-ROM drive can be used. None of these can be used > to remotely exploit a VM "connected to the public Internet [etc]."
The attack would be something else on the link-local network responding to 169.254.169.254. So it's not "the public internet" in general, but connecting to an untrusted network. -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mat...@fedoraproject.org> -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
