Package: src:cloud-utils Version: 0.31-1 Severity: important The ec2metadata command queries a well-known link-local endpoint (169.254.169.254 in Amazon EC2) to obtain information about the instance on which it runs. Last year, AWS released "IMDSv2" in an effort to protect customers against some potentially severe information leaks related to accidentally proxying this local data to the network. Details at https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
IMDSv2 makes use of a session-based protocol, requiring clients to first retrieve a time-limited session token, and then to include that token with subsequent requests. Because the intended purpose of IMDSv2 is to provide an additional layer of defense against network abuses, customers utilizing it may choose to disable IMDSv1. It's important that we facilitate this use case by supporting IMDSv2 wherever possible. We should work to add this support in both bullseye and buster (and potentially stretch if feasible) noah