Security bulletins

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-53141

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.16-gke.2296000
• 1.28.15-gke.1673000
• 1.29.13-gke.1038000
• 1.30.9-gke.1009000
• 1.31.5-gke.1023000
• 1.32.1-gke.1729000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.27.16-gke.2342000
• 1.28.15-gke.1720000
• 1.29.13-gke.1109000
• 1.30.9-gke.1127000
• 1.31.5-gke.1169000
• 1.32.1-gke.1729000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-53141

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-53141

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-53141

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-53141

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

A security issue was discovered in the Google Secret Manager Provider for Secret Store CSI Driver. To exploit this vulnerability, an attacker must be able to do the following:

1. Create Pods on nodes where the CSI driver is running.
2. Create Secrets in the same namespaces as those Pods.
3. Mount Secrets Store CSI volumes on the Pod with the nodePublishSecretRef option set.
4. Provide a malicious Application Default Credential configuration in the Secret.
5. Reference the Secret in the nodePublishSecretRef option on the volume mount.

By following these steps, an attacker could trick the CSI driver into leaking the Kubernetes service account token of the CSI driver to a URL controlled by the attacker.

The Secret Manager Provider can be used in two ways with a GKE cluster. The Secret Manager add-on for GKE is a managed feature available on GKE clusters. Alternatively, as a GKE user you can install the open source Google Secret Manager Provider for Secret Store CSI Driver on your GKE cluster. In both cases, the provider allows a Kubernetes Pod to access secrets stored in Google Cloud Secret Manager as files mounted to the Pod as a volume.

The fixes for both the managed GKE Secret Manager add-on and open source Secret Manager Provider disable the use of nodePublishSecretRef to avoid this issue. This was determined not to impact any existing usage of the GKE Secret Manager add-on. A very small number of GKE clusters using the open source Secret Manager Provider with nodePublishSecretRef might see an impact. The open source patch makes it possible to re-enable the nodePublishSecretRef feature via the ALLOW_NODE_PUBLISH_SECRET environment variable, if necessary.

What should I do?

Do either of following depending on how your GKE cluster uses the Secret Manager Provider:

Managed GKE Secret Manager add-on

If you're using the managed GKE add-on, upgrade your GKE cluster to a patched version. The following versions of GKE are updated with code to fix this vulnerability. Upgrade your node pools to the following versions or later:

• 1.27.16-gke.2051000
• 1.28.15-gke.1362000
• 1.29.11-gke.1012000
• 1.30.6-gke.1596000
• 1.31.1-gke.1846000

To receive the fix as quickly as possible, we recommend manually upgrading your cluster and Standard node pools to a patched GKE version. GKE release channels allow you to patch before the new version becomes an auto-upgrade target on your selected release channel.

Open source Secret Manager Provider

If you're using the open source Secret Manager provider, upgrade to 1.7.0. If you use the Helm Chart, the latest version already refers to 1.7.0. If you base your installation directly on the deploy/provider-gcp-plugin.yaml file, note that the image has also been updated in that file.

A vulnerability in the Google Secret Manager Provider for Secret Store CSI Driver allows an attacker with Pod and Secret creation permissions in a namespace to exfiltrate the CSI driver's Kubernetes service account token by mounting a malicious volume on a Pod.

What should I do?

If you have manually installed the open source Secret Manager Provider, you might be affected. See instructions regarding the open source Secret Manager Provider on the GKE tab.

GDC (VMware) clusters are otherwise not affected as they don't offer a managed add-on, so no further action is required.

A vulnerability in the Google Secret Manager Provider for Secret Store CSI Driver allows an attacker with Pod and Secret creation permissions in a namespace to exfiltrate the CSI driver's Kubernetes service account token by mounting a malicious volume on a Pod.

What should I do?

If you have manually installed the open source Secret Manager Provider, you might be affected. See instructions regarding the open source Secret Manager Provider on the GKE tab.

GKE on AWS clusters are otherwise not affected as they don't offer a managed add-on, so no further action is required.

A vulnerability in the Google Secret Manager Provider for Secret Store CSI Driver allows an attacker with Pod and Secret creation permissions in a namespace to exfiltrate the CSI driver's Kubernetes service account token by mounting a malicious volume on a Pod.

What should I do?

If you have manually installed the open source Secret Manager Provider, you might be affected. See instructions regarding the open source Secret Manager Provider on the GKE tab.

GKE on Azure clusters are otherwise not affected as they don't offer a managed add-on, so no further action is required.

A vulnerability in the Google Secret Manager Provider for Secret Store CSI Driver allows an attacker with Pod and Secret creation permissions in a namespace to exfiltrate the CSI driver's Kubernetes service account token by mounting a malicious volume on a Pod.

What should I do?

If you have manually installed the open source Secret Manager Provider, you might be affected. See instructions regarding the open source Secret Manager Provider on the GKE tab.

GDC (bare metal) clusters are otherwise not affected as they don't offer a managed add-on, so no further action is required.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-50264

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-01-23 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.27.16-gke.2270000
• 1.28.15-gke.1641000
• 1.29.13-gke.1006000
• 1.30.8-gke.1282000
• 1.31.5-gke.1023000
• 1.32.1-gke.1002000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.16-gke.2081000
• 1.28.15-gke.1480000
• 1.29.12-gke.1055000
• 1.30.8-gke.1051000
• 1.31.4-gke.1072000
• 1.32.0-gke.1448000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-50264

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-50264

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-50264

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-50264

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-53057

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-01-23 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.27.16-gke.2270000
• 1.28.15-gke.1641000
• 1.29.13-gke.1006000
• 1.30.8-gke.1282000
• 1.31.5-gke.1023000
• 1.32.1-gke.1002000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.16-gke.1836000
• 1.28.15-gke.1342000
• 1.29.11-gke.1012000
• 1.30.7-gke.1077000
• 1.31.3-gke.1056000
• 1.32.0-gke.1448000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-53057

What should I do?

2025-01-22 Update: The following versions of GDC (VMware) are updated with code to fix this vulnerability. Upgrade your GDC (VMware) clusters to the following versions or later:

• 1.29.900-gke.181
• 1.31.0-gke.889
• 1.30.400-gke.133

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-53057

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-53057

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-53057

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

2025-01-23 Update: Updated the Affected resources section.

2025-01-08 Update: The actual start date and time of the issue was 2024-12-04 at 22:47 UTC.

A security issue was introduced on 2024-12-08 at 13:44 UTC and resolved on 2025-01-04 at 04:00 UTC. This security issue impacted resources in VPCs with GKE Multi-Cluster Gateway (MCG) configured. MCG is an optional feature that is used by a small subset of GKE customers. We are individually notifying customers who had the feature enabled during that time period.

Multi-Cluster Gateway (MCG) is a GKE feature that allows customers to load balance traffic across multiple clusters. To perform that function, MCG needs to make changes to the project-level Google Cloud firewall. An error inside MCG resulted in the creation of an ingress firewall rule that allowed TCP traffic to all IPs (0.0.0.0/0) and ports inside the VPC. Steps have been taken to prevent errors of this type in the future.

As the firewall is a VPC-level allow list, the following types of resources might have been network reachable during the time period:

• Customer applications running on GKE worker nodes accessible through public IPs.
• Customer applications running on Compute Engine virtual machines (VMs) with public IPs.
• Any other Google Cloud resources in the same VPC as the cluster with public IPs and listening ports.

GKE worker nodes, Compute Engine VMs, and other resources that were only using private IPs might have been more broadly accessible within their VPC, but they would not have been accessible to the Internet. Applications protected by the following mechanisms would've reduced or eliminated their exposure:

• Equal or higher priority DENY firewall rules (MCG sets firewall rules priority to 1000 by default)
• Service mesh using identity-based authorization
• Application-level authorization

Affected resources

2025-01-23 Update: GKE fleets (or hubs) using MCG in shared VPC service projects are not affected by the issue as firewall rules are not managed from shared VPC service projects.

Resources residing in VPCs with GKE MCG configured and listening on public IPs were affected. The resources affected include, but are not limited to, applications running on GKE worker nodes.

What should I do?

The issue has been resolved across all impacted VPCs by fixing the incorrect firewall configuration. The rules created in error have been automatically modified with the appropriate source ranges (130.211.0.0/22, 35.191.0.0/16) to allow the ingress traffic coming from Google Cloud health check infrastructure, and, optionally, your proxy-only subnet ranges for Internal Gateways. To know more about the firewall rules automatically created by MCG in your project(s), see GKE Gateway firewall rules.

You can, optionally, confirm resolution by checking the managed firewall rules on VPCs using GKE MCG. Confirm a source range is set on managed firewall rules that use the prefix gkemcg1-l7-. Inspect these rules and confirm a source range is set.

To list the MCG managed firewall rules in your current environment, run the following command:

gcloud compute firewall-rules list --format="json" --filter="name:gkemcg1-l7-*" | jq -r '.[] | "\(.name): \(.sourceRanges // "No source range")"' | awk -F: '{if ($2 ~ /No source range|^\s*$/) print "Rule "$1" has an EMPTY or MISSING source range."; else print "Rule "$1" has source range(s): "$2;}'

To search logs for updates to MCG managed firewall configurations, use the Logs Explorer with the below query:

protoPayload.serviceName="compute.googleapis.com"
          resource.type="gce_firewall_rule"
          protoPayload.resourceName=~"projects/[^/]+/global/firewalls/gkemcg1-"
          -operation.last="true"

To list the MCG managed firewall rules across your organization, run the following command to query Cloud Asset Inventory:

gcloud asset search-all-resources
          --scope='organizations/'
          --asset-types='compute.googleapis.com/Firewall'
          --query 'name: //compute.googleapis.com/projects/*/*/firewalls/gkemcg*'

The following additional controls provide defense in depth against untrusted networks and can be considered to strengthen security posture:

• Use private GKE nodes to ensure your nodes only get private IPs.
• Use explicit DENY firewall policies where possible.
• Use hierarchical firewall policy to override VPC level firewall configurations.
• Use Cloud Service Mesh to provide authentication and authorization.
• Use in-application authentication and authorization.
• Use Organization Policy Service to block firewall rules that allow all traffic. To do so, create a constraint for denying all traffic firewall rules, and apply it with a policy.

We recommend reviewing configurations and logs to identify any applications or services that might have been exposed during the previously mentioned time period that should not have been exposed. You can use the following tools to check inbound traffic to your resources running in Google Cloud:

• VPC Flow Logs for visibility into network throughput and performance
• Cloud Logging to search and analyze logging data and events from Google Cloud services and applications configured to send logs
• Firewall Rules Logging to audit, verify, and analyze the effects of your firewall rules
• Security Command Center for visibility into security findings indicating suspicious network activity
• Your application logs

A security issue was discovered that impacts Multi-Cluster Gateway (MCG), a GKE feature that allows customers to load balance traffic across multiple clusters.

GDC (VMware) clusters do not support MCG and are not affected.

What should I do?

No action required.

A security issue was discovered that impacts Multi-Cluster Gateway (MCG), a GKE feature that allows customers to load balance traffic across multiple clusters.

GKE on AWS clusters do not support MCG and are not affected.

What should I do?

No action required.

A security issue was discovered that impacts Multi-Cluster Gateway (MCG), a GKE feature that allows customers to load balance traffic across multiple clusters.

GKE on Azure clusters do not support MCG and are not affected.

What should I do?

No action required.

A security issue was discovered that impacts Multi-Cluster Gateway (MCG), a GKE feature that allows customers to load balance traffic across multiple clusters.

GDC (bare metal) clusters do not support MCG and are not affected.

What should I do?

No action required.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-46800

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-12-12 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.28.15-gke.1342000
• 1.29.10-gke.1280000
• 1.30.6-gke.1596000
• 1.31.3-gke.1023000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.16-gke.1576000
• 1.28.14-gke.1217000
• 1.29.9-gke.1496000
• 1.30.5-gke.1355000
• 1.31.1-gke.1678000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-46800

What should I do?

2025-01-22 Update: The following versions of GDC (VMware) are updated with code to fix this vulnerability. Upgrade your GDC (VMware) clusters to the following versions or later:

• 1.29.900-gke.181
• 1.31.0-gke.889
• 1.30.400-gke.133

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-46800

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-46800

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-46800

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

A security issue discovered in Kubernetes clusters could result in remote code execution using a gitRepo volume. If the git repository is maliciously constructed, a user with the ability to create a Pod and associate a gitRepo volume could execute arbitrary commands beyond the container boundary.

What should I do?

Upgrade your GKE cluster and node pools to a patched version. The following GKE versions have been updated to fix this vulnerability:

• 1.27.16-gke.1008000
• 1.28.12-gke.1052000
• 1.29.7-gke.1008000
• 1.30.3-gke.1225000
• 1.31.0-gke.1058000

For security purposes, even with node auto-upgrade enabled, we recommend manually upgrading your cluster and node pools to a patched GKE version. GKE release channels allow you to patch without having to unsubscribe or change release channels. This lets you secure your cluster and nodes before the new version becomes the default on your selected release channel.

What vulnerabilities are addressed by this patch?

CVE-2024-10220 allows an attacker to create a Pod and associate a gitRepo volume to execute arbitrary commands beyond the container boundary.

A security issue discovered in Kubernetes clusters could result in remote code execution using a gitRepo volume. If the git repository is maliciously constructed, a user with the ability to create a Pod and associate a gitRepo volume could execute arbitrary commands beyond the container boundary.

What should I do?

A security issue discovered in Kubernetes clusters could result in remote code execution using a gitRepo volume. If the git repository is maliciously constructed, a user with the ability to create a Pod and associate a gitRepo volume could execute arbitrary commands beyond the container boundary.

What should I do?

A security issue discovered in Kubernetes clusters could result in remote code execution using a gitRepo volume. If the git repository is maliciously constructed, a user with the ability to create a Pod and associate a gitRepo volume could execute arbitrary commands beyond the container boundary.

What should I do?

A security issue discovered in Kubernetes clusters could result in remote code execution using a gitRepo volume. If the git repository is maliciously constructed, a user with the ability to create a Pod and associate a gitRepo volume could execute arbitrary commands beyond the container boundary.

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-45016

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-11-19 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1784000
• 1.28.15-gke.1080000
• 1.29.10-gke.1155000
• 1.30.6-gke.1059000
• 1.31.2-gke.1354000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.16-gke.1478000
• 1.28.14-gke.1099000
• 1.29.9-gke.1177000
• 1.30.5-gke.1145000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-45016

What should I do?

2024-10-15 Update: The following versions of GDC (VMware) are updated with code to fix this vulnerability. Upgrade your GDC (VMware) clusters to the following versions or later:

• 1.30.100-gke.96
• 1.29.600-gke.109
• 1.28.1000-gke.59

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-45016

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-45016

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-45016

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it.

GKE does not use the CUPS printing system and is not affected.

What should I do?

No action required

A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it.

GDC software for VMware does not use the CUPS printing system and is not affected.

What should I do?

No action required

A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it.

GKE on AWS does not use the CUPS printing system and is not affected.

What should I do?

No action required

A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it.

GKE on Azure does not use the CUPS printing system and is not affected.

What should I do?

No action required

A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it.

GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

What should I do?

No action required

A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and AUTHORITY\Authenticated Users may be able to modify container logs.

Any Kubernetes environment with Windows nodes is affected. Run kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.

Affected GKE versions

• 1.27.15 and earlier
• 1.28.11 and earlier
• 1.29.6 and earlier
• 1.30.2 and earlier

What should I do?

The following versions of GKE have been updated to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions or later:

• 1.27.16-gke.1008000
• 1.28.12-gke.1052000
• 1.29.7-gke.1008000
• 1.30.3-gke.1225000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

What vulnerabilities are being addressed?

CVE-2024-5321

A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and AUTHORITY\Authenticated Users may be able to modify container logs.

Any Kubernetes environment with Windows nodes is affected. Run kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.

What should I do?

Patch versions for GDC software for VMware are in progress. We'll update this bulletin with that information when it's available.

What vulnerabilities are being addressed?

CVE-2024-5321

A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and AUTHORITY\Authenticated Users may be able to modify container logs.

GKE on AWS clusters do not support Windows nodes and are not affected.

What should I do?

No action required

A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and AUTHORITY\Authenticated Users may be able to modify container logs.

GKE on Azure clusters do not support Windows nodes and are not affected.

What should I do?

No action required

A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and AUTHORITY\Authenticated Users may be able to modify container logs.

GDC software for bare metal clusters do not support Windows nodes and are not affected.

What should I do?

No action required

A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host.

What should I do?

GKE does not support IPv6 on windows and is not affected by this CVE. No action is required.

A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host.

What should I do?

GDC software for VMware does not support IPv6 on windows and is not affected by this CVE. No action is required.

A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host.

What should I do?

GKE on AWS is not affected by this CVE. No action is required.

A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host.

What should I do?

GKE on Azure is not affected by this CVE. No action is required.

A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host.

What should I do?

GDC (bare metal) isn't affected by this CVE. No action is required.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36978

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-11-01 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1576000
• 1.28.14-gke.1175000
• 1.29.9-gke.1341000
• 1.30.5-gke.1355000
• 1.31.1-gke.1678000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.16-gke.1008000
• 1.28.12-gke.1052000
• 1.29.7-gke.1008000
• 1.30.3-gke.1225000
• 1.31.0-gke.1058000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36978

What should I do?

2024-10-21 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.28.1100-gke.91
• 1.30.200-gke.101
• 1.29.600-gke.109

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36978

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36978

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36978

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-41009

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-10-30 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1576000
• 1.28.14-gke.1175000
• 1.29.9-gke.1341000
• 1.30.5-gke.1355000
• 1.31.1-gke.1678000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.16-gke.1008000
• 1.28.12-gke.1052000
• 1.29.7-gke.1008000
• 1.30.3-gke.1225000
• 1.31.0-gke.1058000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-41009

What should I do?

2024-10-25 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.29.700-gke.110
• 1.28.1100-gke.91
• 1.30.200-gke.101

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-41009

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-41009

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-41009

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-39503

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-10-30 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1576000
• 1.28.14-gke.1175000
• 1.29.9-gke.1341000
• 1.30.5-gke.1355000
• 1.31.1-gke.1678000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.15-gke.1125000
• 1.28.11-gke.1170000
• 1.29.6-gke.1137000
• 1.30.3-gke.1225000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-39503

What should I do?

2024-10-21 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.30.200-gke.101
• 1.29.600-gke.109
• 1.28.1100-gke.91

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-39503

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-39503

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-39503

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26925

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-08-21 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1051000
• 1.28.12-gke.1052000
• 1.29.7-gke.1174000
• 1.30.3-gke.1225000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.14-gke.1093000
• 1.28.10-gke.1141000
• 1.29.5-gke.1192000
• 1.30.2-gke.1394000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26925

What should I do?

2024-09-19 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.29.400
• 1.28.900

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26925

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26925

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26925

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36972

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-10-30 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1576000
• 1.28.14-gke.1175000
• 1.29.9-gke.1341000
• 1.30.5-gke.1355000
• 1.31.1-gke.1678000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.14-gke.1093000
• 1.28.10-gke.1141000
• 1.29.5-gke.1192000
• 1.30.2-gke.1394000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36972

What should I do?

2024-10-21 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.30.200-gke.101
• 1.29.600-gke.109
• 1.28.1100-gke.91

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36972

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36972

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36972

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26921

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-10-02 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1287000
• 1.28.13-gke.1042000
• 1.29.8-gke.1096000
• 1.30.4-gke.1476000
• 1.30.4-gke.1476000
• 1.31.0-gke.1577000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.26.15-gke.1360000
• 1.27.14-gke.1022000
• 1.28.9-gke.1209000
• 1.29.4-gke.1542000
• 1.30.2-gke.1394000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26921

What should I do?

2024-09-20 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.30.200
• 1.29.500
• 1.28.1000

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26921

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26921

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26921

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

2024-07-18 Update: The original version of this bulletin incorrectly stated that Autopilot clusters were impacted. Autopilot clusters in the default configuration aren't impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow the CAP_NET_ADMIN capability.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26809

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.13-gke.1166000
• 1.28.9-gke.1209000
• 1.29.4-gke.1542000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.26.15-gke.1469000
• 1.27.14-gke.1100000
• 1.28.10-gke.1148000
• 1.29.6-gke.1038000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26809

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26809

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26809

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26809

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52654
• CVE-2023-52656

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-07-19 Update: The following versions of GKE contain code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.26.15-gke.1469000
• 1.27.14-gke.1100000
• 1.28.10-gke.1148000
• 1.29.6-gke.1038000
• 1.30.2-gke.1394000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.26.15-gke.1300000
• 1.27.13-gke.1166000
• 1.28.9-gke.1209000
• 1.29.4-gke.1542000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52654
• CVE-2023-52656

What should I do?

2024-09-16 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.29.200
• 1.28.700
• 1.16.11

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52654
• CVE-2023-52656

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52654
• CVE-2023-52656

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52654
• CVE-2023-52656

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

2024-07-03 Update: An expedited rollout is in progress and is expected to make new patch versions available across all zones by July 3, 2024 at 5 PM US and Canadian Pacific Daylight Time (UTC-7). To get a notification as soon as a patch is available for your specific cluster, use cluster notifications.

2024-07-02 Update: This vulnerability affects both Autopilot mode and Standard mode clusters. Each section that follows will tell you the modes to which that section applies.

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts.

All supported versions of Container Optimized OS and Ubuntu images on GKE run versions of OpenSSH that are vulnerable to this issue.

GKE clusters with public node IP addresses and SSH exposed to the Internet should be treated with the highest priority for mitigation.

The GKE control plane is not vulnerable to this issue.

What should I do?

2024-07-03 Update: Patch versions for GKE

An expedited rollout is in progress and is expected to make new patch versions available across all zones by July 3, 2024 at 5 PM US and Canadian Pacific Daylight Time (UTC-7).

Clusters and nodes with autoupgrade enabled will begin upgrading as the week progresses, but due to the severity of the vulnerability we recommend upgrading manually as follows to get patches as fast as possible.

For both Autopilot and Standard clusters, upgrade your control plane to a patched version. Additionally, for Standard mode clusters, upgrade your node pools to a patched version. Autopilot clusters will begin upgrading your nodes to match the control plane version as soon as possible.

Patched GKE versions are available for every supported version to minimize the changes necessary to apply the patch. The version number of each new version is an increment on the final digit in the version number of a corresponding existing version. For example, if you are on 1.27.14-gke.1100000, you will upgrade to 1.27.14-gke.1100002 to get the fix with the smallest possible change. The following patched GKE versions are available:

• 1.26.15-gke.1090004
• 1.26.15-gke.1191001
• 1.26.15-gke.1300001
• 1.26.15-gke.1320002
• 1.26.15-gke.1381001
• 1.26.15-gke.1390001
• 1.26.15-gke.1404002
• 1.26.15-gke.1469001
• 1.27.13-gke.1070002
• 1.27.13-gke.1166001
• 1.27.13-gke.1201002
• 1.27.14-gke.1022001
• 1.27.14-gke.1042001
• 1.27.14-gke.1059002
• 1.27.14-gke.1100002
• 1.27.15-gke.1012003
• 1.28.9-gke.1069002
• 1.28.9-gke.1209001
• 1.28.9-gke.1289002
• 1.28.10-gke.1058001
• 1.28.10-gke.1075001
• 1.28.10-gke.1089002
• 1.28.10-gke.1148001
• 1.28.11-gke.1019001
• 1.29.4-gke.1043004
• 1.29.5-gke.1060001
• 1.29.5-gke.1091002
• 1.29.6-gke.1038001
• 1.30.1-gke.1329003
• 1.30.2-gke.1023004

To check whether a patch is available in your cluster zone or region, run the following command:

gcloud container get-server-config --location=LOCATION

Replace LOCATION with your zone or region.

2024-07-02 Update: Both Autopilot mode and Standard mode clusters should be upgraded as soon as possible after patch versions are available.

A patched GKE version that includes an updated OpenSSH will be made available as soon as possible. This bulletin will be updated when patches are available. To receive a Pub/Sub notification when a patch is available for your channel, enable cluster notifications. We recommend working through the following steps to check your cluster's exposure, and applying the mitigations described, as necessary.

Determine whether your nodes have public IP addresses

2024-07-02 Update: This section applies to both Autopilot and Standard clusters.

If a cluster is created with enable-private-nodes, nodes will be private, which mitigates the vulnerability by removing exposure to the Internet. Run the following command to determine if your cluster has private nodes enabled:

gcloud container clusters describe $CLUSTER_NAME \
--format="value(privateClusterConfig.enablePrivateNodes)"

If the return value is True, all nodes are private nodes for this cluster and the vulnerability is mitigated. If the value is empty or false, continue on to apply one of the mitigations in the following sections.

To find all clusters originally created with public nodes, use this Cloud Asset Inventory query in the project or organization:

SELECT
  resource.data.name AS cluster_name,
  resource.parent AS project_name,
  resource.data.privateClusterConfig.enablePrivateNodes
FROM
  `container_googleapis_com_Cluster`
WHERE
  resource.data.privateClusterConfig.enablePrivateNodes is null OR
  resource.data.privateClusterConfig.enablePrivateNodes = false

Disallow SSH to the cluster nodes

2024-07-02 Update: This section applies to both Autopilot and Standard clusters.

The default network is pre-populated with a default-allow-ssh firewall rule to allow SSH access from the public Internet. To remove this access, you can:

• Optionally create rules to allow any SSH access you need from trusted networks to GKE nodes or other Compute Engine VMs in the project.
• Disable the default firewall rule with the following command:
  gcloud compute firewall-rules update default-allow-ssh --disabled --project=$PROJECT

If you have created any other firewall rules that may allow SSH through TCP on port 22, disable them, or limit the source IPs to trusted networks.

Verify that you can no longer SSH to the cluster nodes from the Internet. This firewall configuration mitigates the vulnerability.

Convert public node pools to private

2024-07-02 Update: For Autopilot clusters originally created as public clusters, you can place your workloads on private nodes by using nodeSelectors. However, Autopilot nodes that run system workloads on clusters that were originally created as public clusters will still be public nodes and should be protected by using the firewall changes described in the preceding section.

To best protect clusters originally created with public nodes, we recommend first disallowing SSH through the firewall as already described. If you are not able to disallow SSH through the firewall rules, you can convert public node pools on GKE Standard clusters to private by following this guidance to isolate node pools.

Change SSHD configuration

2024-07-02 Update: This section only applies to Standard clusters. Autopilot workloads aren't allowed to modify node configuration.

If none of these mitigations can be applied, we have also published a daemonset that sets SSHD LoginGraceTime to zero, and restarts the SSH daemon. This daemonset can be applied to the cluster to mitigate the attack. Note that this configuration may increase the risk of denial of service attacks and may cause issues with legitimate SSH access. This daemonset should be removed after a patch has been applied.

2024-07-11 Update: The following versions of GDC software for VMware have been updated with code to fix this vulnerability. Upgrade your admin workstation, admin clusters, and user clusters (including node pools) to one of the following versions or later. For instructions, see Upgrade a cluster or node pool.

• 1.16.10-gke.36
• 1.28.700-gke.151
• 1.29.200-gke.245

The 2024-07-02 update to this bulletin incorrectly stated that all supported versions of Ubuntu images on GDC software for VMware run versions of OpenSSH that are vulnerable to this issue. Ubuntu images on GDC software for VMware version 1.16 clusters run versions of OpenSSH that are not vulnerable to this issue. Ubuntu images in GDC software for VMware 1.28 and 1.29 are vulnerable. Container-Optimized OS images on all supported versions of GDC software for VMware are vulnerable to this issue.

2024-07-02 Update: All supported versions of Container-Optimized OS and Ubuntu images on GDC software for VMware run versions of OpenSSH that are vulnerable to this issue.

GDC software for VMware clusters with public node IP addresses and SSH exposed to the Internet should be treated with the highest priority for mitigation.

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts.

What should I do?

2024-07-02 Update: A patched GDC software for VMware version that includes an updated OpenSSH will be made available as soon as possible. This bulletin will be updated when patches are available. We recommend that you apply the following mitigations as necessary.

Disallow SSH to the cluster nodes

You can change your infrastructure network setup to disallow SSH connectivity from untrusted sources, such as the public Internet.

Change sshd configuration

If you can't apply the preceding mitigation, we have published a DaemonSet that sets the sshd LoginGraceTime to zero and restarts the SSH daemon. This DaemonSet can be applied to the cluster to mitigate the attack. Note that this configuration might increase the risk of denial of service attacks and might cause issues with legitimate SSH access. Remove this DaemonSet after a patch has been applied.

2024-07-11 Update: The following versions of GKE on AWS have been updated with code to fix this vulnerability:

• 1.27.14-gke.1200
• 1.28.10-gke.1300
• 1.29.5-gke.1100

Upgrade your GKE on AWS control plane and node pools to one of these patched versions or later. For instructions, see Upgrade your AWS cluster version and Update a node pool.

2024-07-02 Update: All supported versions of Ubuntu images on GKE on AWS run versions of OpenSSH that are vulnerable to this issue.

GKE on AWS clusters with public node IP addresses and SSH exposed to the Internet should be treated with the highest priority for mitigation.

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts.

What should I do?

2024-07-02 Update: A patched GKE on AWS version that includes an updated OpenSSH will be made available as soon as possible. This bulletin will be updated when patches are available. We recommend that you work through the following steps to check your cluster's exposure, and apply the described mitigations as necessary.

Determine whether your nodes have public IP addresses

GKE on AWS doesn't provision any machine with either public IP addresses or with firewall rules that allow traffic to port 22 by default. However, depending on your subnet configuration, machines can automatically get a public IP address during provisioning.

To check whether nodes are provisioned with public IP addresses, look at the configuration of the subnet that's associated with your AWS node pool resource.

Disallow SSH to the cluster nodes

Even though GKE on AWS doesn't allow traffic on port 22 on any node by default, customers can attach additional security groups to node pools, enabling inbound SSH traffic.

We recommend that you remove or scope down corresponding rules from the provided security groups.

Convert public node pools to private

To best protect clusters with public nodes, we recommend first disallowing SSH through your security group, as described in the previous section. If you can't disallow SSH through the security group rules, you can convert public node pools to private by disabling the option to automatically assign public IPs to machines within a subnet and reprovisioning the node pool.

2024-07-11 Update: The following versions of GKE on Azure have been updated with code to fix this vulnerability:

• 1.27.14-gke.1200
• 1.28.10-gke.1300
• 1.29.5-gke.1100

Upgrade your GKE on Azure control plane and node pools to one of these patched versions or later. For instructions, see Upgrade your Azure cluster version and Update a node pool.

2024-07-02 Update: All supported versions of Ubuntu images on GKE on Azure run versions of OpenSSH that are vulnerable to this issue.

GKE on Azure clusters with public node IP addresses and SSH exposed to the Internet should be treated with the highest priority for mitigation.

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts.

What should I do?

2024-07-02 Update: A patched GKE on Azure version that includes an updated OpenSSH will be made available as soon as possible. This bulletin will be updated when patches are available. We recommend that you work through the following steps to check your cluster's exposure, and apply the described mitigations as necessary.

Determine whether your nodes have public IP addresses

GKE on Azure doesn't provision any machine with either public IP addresses or with firewall rules that allow traffic to port 22 by default. To review your Azure configuration to check whether there are any public IP addresses configured on your GKE on Azure cluster, run the following command:

az network public-ip list -g CLUSTER_RESOURCE_GROUP_NAME -o tsv

Disallow SSH to the cluster nodes

Even though GKE on Azure doesn't allow traffic on port 22 on any node by default, customers can update NetworkSecurityGroup rules to node pools, enabling inbound SSH traffic from the public internet.

We strongly recommend that you review the Network Security Groups (NSGs) associated with your Kubernetes clusters. If an NSG rule exists that allows unrestricted inbound traffic on port 22 (SSH), do one of the following:

• Remove the rule entirely: If SSH access to the cluster nodes isn't required from the internet, remove the rule to eliminate potential attack vectors.
• Scope down the rule: Restrict inbound access on port 22 to only the specific IP addresses or ranges that require it. This minimizes the exposed surface for potential attacks.

Convert public node pools to private

To best protect clusters with public nodes, we recommend first disallowing SSH through your security group, as described in the previous section. If you can't disallow SSH through the security group rules, you can convert public node pools to private by removing the public IP addresses associated with the VMs.

To remove a public IP address from a VM and replace it with a private IP address configuration, see Dissociate a public IP address from a an Azure VM.

Impact: Any existing connections using the public IP address will be disrupted. Ensure that you have alternative access methods in place, like a VPN or Azure Bastion.

2024-07-02 Update: The original version of this bulletin for GDC software for bare metal incorrectly stated that patch versions were in progress. GDC software for bare metal is not directly affected because it doesn't manage the operating system SSH daemon or configuration. Patch versions are therefore the responsibility of the operating system provider, as described in the What should I do? section.

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts.

What should I do?

2024-07-02 Update: Contact your OS provider to obtain a patch for the operating systems in use with GDC software for bare metal.

Until you've applied the OS vendor patch, ensure that public reachable machines don't allow SSH connections from the internet. If that isn't possible, an alternative is to set the LoginGraceTime to zero and restart the sshd server:

grep "^LoginGraceTime" /etc/ssh/sshd_config
            LoginGraceTime 0

Note that this configuration change might increase the risk of denial of service attacks and may cause issues with legitimate SSH access.

Original 2024-07-01 text (see the preceding 2024-07-02 update for a correction):

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26923

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-08-20 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1051000
• 1.28.12-gke.1052000
• 1.29.7-gke.1174000
• 1.30.3-gke.1225000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.26.15-gke.1360000
• 1.27.14-gke.1022000
• 1.28.9-gke.1289000
• 1.29.5-gke.1010000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26923

What should I do?

2024-09-25 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.29.400
• 1.28.900

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26923

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26923

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26923

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26924

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-08-06 Update: Added patch versions for Ubuntu node pools on GKE.

The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.15-gke.1252000
• 1.28.11-gke.1260000
• 1.29.6-gke.1326000
• 1.30.2-gke.1394003

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.26.15-gke.1360000
• 1.27.14-gke.1022000
• 1.28.9-gke.1289000
• 1.29.5-gke.1010000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26924

What should I do?

2024-09-17 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.29.400
• 1.28.800
• 1.16.11

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26924

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26924

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26924

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26584

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.28.9-gke.1209000
• 1.29.4-gke.1542000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26584

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26584

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26584

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26584

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26584

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-07-18 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.26.15-gke.1469000
• 1.27.14-gke.1100000
• 1.28.10-gke.1148000
• 1.29.6-gke.1038000
• 1.30.2-gke.1394000

The following version of GKE is updated with code to fix this vulnerability on Container-Optimized OS. Upgrade your Container-Optimized OS node pools to the following patch version or later:

• 1.27.15-gke.1125000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.28.9-gke.1209000
• 1.29.4-gke.1542000

The following minor versions are affected but don't have a patch version available. We'll update this bulletin when patch versions are available:

• 1.26
• 1.27

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26584

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26584

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26584

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26584

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26583

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-07-10 Update: The following versions of GKE are updated with code to fix this vulnerability. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.26.15-gke.1444000
• 1.27.14-gke.1096000
• 1.28.10-gke.1148000
• 1.29.5-gke.1041001
• 1.30.1-gke.1156001

For minor versions 1.26 and 1.27, upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.26.15-gke.1404002
• 1.27.14-gke.1059002

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.28.8-gke.1095000
• 1.29.3-gke.1093000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26583

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26583

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26583

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26583

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2022-23222

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.26.15-gke.1381000
• 1.27.14-gke.1022000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2022-23222

What should I do?

2024-09-26 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.28.900-gke.113
• 1.29.400-gke.8

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2022-23222

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2022-23222

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2022-23222

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected.

GKE doesn't use a vulnerable version of Fluent Bit, and is unaffected.

What should I do?

GKE isn't affected by this vulnerability. No action is required.

A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected.

GKE on VMware doesn't use a vulnerable version of Fluent Bit, and is unaffected.

What should I do?

GKE on VMware isn't affected by this vulnerability. No action is required.

A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected.

GKE on AWS doesn't use a vulnerable version of Fluent Bit, and is unaffected.

What should I do?

GKE on AWS isn't affected by this vulnerability. No action is required.

A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected.

GKE on Azure doesn't use a vulnerable version of Fluent Bit, and is unaffected.

What should I do?

GKE on Azure isn't affected by this vulnerability. No action is required.

A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected.

GKE on Bare Metal doesn't use a vulnerable version of Fluent Bit, and is unaffected.

What should I do?

GKE on Bare Metal isn't affected by this vulnerability. No action is required.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52620

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-07-18 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.26.15-gke.1469000
• 1.27.14-gke.1100000
• 1.28.10-gke.1148000
• 1.29.6-gke.1038000
• 1.30.2-gke.1394000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.13-gke.1166000
• 1.28.8-gke.1095000
• 1.29.3-gke.1093000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52620

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52620

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52620

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52620

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26642

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-08-19 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1051000
• 1.28.12-gke.1052000
• 1.29.7-gke.1174000
• 1.30.3-gke.1225000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.13-gke.1166000
• 1.28.8-gke.1095000
• 1.29.3-gke.1093000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26642

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26642

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26642

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26642

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26581

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-05-22 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.26.15-gke.1300000
• 1.27.13-gke.1011000
• 1.28.9-gke.1209000
• 1.29.4-gke.1542000
• 1.30.0-gke.1712000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.25.16-gke.1596000
• 1.26.14-gke.1076000
• 1.27.11-gke.1202000
• 1.28.8-gke.1095000
• 1.29.3-gke.1093000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.26.15-gke.1300000
• 1.28.9-gke.1209000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26581

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26581

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26581

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26581

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26808

2024-05-09 Update: Corrected severity from Medium to High. The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-05-15 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.26.15-gke.1323000
• 1.27.13-gke.1206000
• 1.28.10-gke.1000000
• 1.29.3-gke.1282004
• 1.30.0-gke.1584000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.8-gke.1067000
• 1.28.8-gke.1095000
• 1.29.3-gke.1093000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26808

What should I do?

2024-09-25 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.28.600
• 1.16.9

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26808

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26808

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26808

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

2024-05-09 Update: Corrected severity from Medium to High.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26643

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-08-06 Update: Added patch versions for Ubuntu node pools on GKE.

The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.15-gke.1252000
• 1.28.11-gke.1260000
• 1.29.6-gke.1326000
• 1.30.2-gke.1394003

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.8-gke.1067000
• 1.28.8-gke.1095000
• 1.29.3-gke.1093000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26643

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26643

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26643

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26643

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26585

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-07-18 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.26.15-gke.1469000
• 1.27.14-gke.1100000
• 1.28.10-gke.1148000
• 1.29.6-gke.1038000
• 1.30.2-gke.1394000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.25.16-gke.1759000
• 1.26.15-gke.1158000
• 1.27.12-gke.1190000
• 1.28.8-gke.1175000
• 1.29.3-gke.1282000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26585

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26585

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26585

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26585

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. GKE clusters with authorized networks configured are protected by limiting network access, but all other clusters are affected.

GKE Autopilot and Standard clusters are affected.

What should I do?

2024-04-24 Update: Added patch versions for GKE.

The following versions of GKE include the Golang security patches to fix this vulnerability. Upgrade your GKE clusters to the following versions or later:

• 1.25.16-gke.1759000
• 1.26.15-gke.1158000
• 1.27.12-gke.1190000
• 1.28.8-gke.1175000
• 1.29.3-gke.1282000

The golang project released patches on April 3, 2024. We'll update this bulletin when GKE versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

Mitigate by configuring authorized networks for control plane access:

You can mitigate your clusters from this class of attacks by configuring authorized networks. Follow the instructions to enable authorized networks for an existing cluster.

To learn more about how authorized networks control access to the control plane, see How authorized networks work. To see the default authorized network access, view the table in the Access to control plane endpoints section.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane.

What should I do?

2024-07-17 Update: Added patch versions for GKE on VMware.

The following versions of GKE on VMware include code to fix this vulnerability. Upgrade your GKE on VMware clusters to the following versions or later:

• 1.29.0
• 1.28.500
• 1.16.8

The golang project released patches on April 3, 2024. We'll update this bulletin when GKE on VMware versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane.

What should I do?

The golang project released patches on April 3, 2024. We'll update this bulletin when GKE on AWS versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane.

What should I do?

The golang project released patches on April 3, 2024. We'll update this bulletin when GKE on Azure versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane.

What should I do?

2024-07-09 Update: Added patch versions for GKE on Bare Metal.

The following versions of GKE on Bare Metal include code to fix this vulnerability. Upgrade your GKE on Bare Metal clusters to the following versions or later:

• 1.29.100
• 1.28.600
• 1.16.9

The golang project released patches on April 3, 2024. We'll update this bulletin when GKE on Bare Metal versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-1085

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-05-06 Update: The following versions of GKE are updated with code to fix this vulnerability in Ubuntu. Upgrade your Ubuntu node pools to the following versions or later.

• 1.26.15-gke.1158000
• 1.27.12-gke.1190000
• 1.28.8-gke.1175000
• 1.29.3-gke.1093000

2024-04-04 Update: Corrected minimum versions for GKE Container-Optimized OS node pools.

The minimum GKE versions containing the Container-Optimized OS fixes listed previously were incorrect. The following versions of GKE are updated with code to fix this vulnerability on Container-Optimized OS. Upgrade your Container-Optimized OS node pools to the following versions or later:

• 1.25.16-gke.1520000
• 1.26.13-gke.1221000
• 1.27.10-gke.1243000
• 1.28.8-gke.1083000
• 1.29.3-gke.1054000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.25.16-gke.1518000
• 1.26.13-gke.1219000
• 1.27.10-gke.1240000
• 1.28.6-gke.1433000
• 1.29.1-gke.1716000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-1085

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-1085

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-1085

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-1085

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3611

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1021001
• 1.27.3-gke.1001002

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1021001
• 1.27.3-gke.1001002

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3611

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3611

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3611

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3611

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3776

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1014001
• 1.27.3-gke.1001002
• 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1021001
• 1.27.3-gke.1001002

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3776

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3776

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3776

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3776

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3610

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.3-gke.1001002
• 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1021001
• 1.27.3-gke.1001002

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3610

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3610

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3610

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3610

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-0193

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.10-gke.1149000
• 1.28.6-gke.1274000
• 1.29.1-gke.1388000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.25.16-gke.1412001
• 1.26.6-gke.1017002
• 1.27.10-gke.1055001
• 1.28.6-gke.1276000
• 1.29.1-gke.1392000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-0193

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-0193

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-0193

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-0193

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-6932

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.17-gke.2364001
• 1.25.16-gke.1229000
• 1.26.6-gke.1017002
• 1.27.3-gke.1001003
• 1.28.5-gke.1194000
• 1.29.0-gke.1340000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.25.16-gke.1412001
• 1.26.6-gke.1017002
• 1.27.10-gke.1055001
• 1.28.6-gke.1276000
• 1.29.1-gke.1221000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-6932

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-6932

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-6932

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-6932

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6931

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.17-gke.2364001
• 1.25.16-gke.1229000
• 1.26.6-gke.1017002
• 1.27.3-gke.1001003
• 1.28.5-gke.1194000
• 1.29.0-gke.1340000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.25.16-gke.1412001
• 1.26.6-gke.1017002
• 1.27.10-gke.1055001
• 1.28.6-gke.1276000
• 1.29.1-gke.1221000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6931

What should I do?

2024-04-17 Update: Added patch versions for GKE on VMware.

The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later:

• 1.28.200
• 1.16.6
• 1.15.10

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6931

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6931

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6931

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE Standard clusters running Windows Server nodes and using an in-tree storage plugin might be affected.

GKE Autopilot clusters and GKE node pools using GKE Sandbox are not affected because they do not support Windows Server nodes.

What should I do?

Determine if you have Windows Server nodes in use on your clusters:

kubectl get nodes -l kubernetes.io/os=windows

Check audit logs for evidence of exploitation. Kubernetes audit logs can be audited to determine if this vulnerability is being exploited. Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation.

Update your GKE cluster and node pools to a patched version. The following versions of GKE have been updated to fix this vulnerability. Even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Windows Server node pools to one of the following GKE versions or later:

• 1.24.17-gke.6100
• 1.25.15-gke.2000
• 1.26.10-gke.2000
• 1.27.7-gke.2000
• 1.28.3-gke.1600

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

What vulnerabilities are addressed by this patch?

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on VMware clusters running Windows Server nodes and using an in-tree storage plugin might be affected.

What should I do?

Determine if you have Windows Server nodes in use on your clusters:

kubectl get nodes -l kubernetes.io/os=windows

Check audit logs for evidence of exploitation. Kubernetes audit logs can be audited to determine if this vulnerability is being exploited. Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation.

Update your GKE on VMware cluster and node pools to a patched version. The following versions of GKE on VMware have been updated to fix this vulnerability. Even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Windows Server node pools to one of the following GKE on VMware versions or later:

• 1.28.100-gke.131
• 1.16.5-gke.28
• 1.15.8-gke.41

What vulnerabilities are addressed by this patch?

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on AWS clusters aren't affected.

What should I do?

No action required

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on Azure clusters aren't affected.

What should I do?

No action required

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on Bare Metal clusters aren't affected.

What should I do?

No action required

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-02-28 Update: The following versions of GKE have been updated with code to fix this vulnerability in Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.25.16-gke.1537000
• 1.26.14-gke.1006000

2024-02-15 Update: Due to an issue, the following Ubuntu patch versions from the 2024-02-14 update might cause your nodes to enter an unhealthy state. Don't upgrade to the following patch versions. We'll update this bulletin when newer patch versions for Ubuntu are available for 1.25 and 1.26.

• 1.25.16-gke.1497000
• 1.26.13-gke.1189000

If you already upgraded to one of these patch versions, manually downgrade your node pool to an earlier version in your release channel.

2024-02-14 Update: The following versions of GKE have been updated with code to fix this vulnerability in Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.25.16-gke.1497000
• 1.26.13-gke.1189000
• 1.27.10-gke.1207000
• 1.28.6-gke.1369000
• 1.29.1-gke.1575000

2024-02-06 Update: The following versions of GKE have been updated with code to fix this vulnerability in Container-Optimized OS. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Container-Optimized OS node pools to one of the following GKE versions or later:

• 1.25.16-gke.1460000
• 1.26.13-gke.1144000
• 1.27.10-gke.1152000
• 1.28.6-gke.1289000
• 1.29.1-gke.1425000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

We're updating GKE with code to fix this vulnerability. We'll update this bulletin when patch versions are available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

What should I do?

2024-03-06 Update: The following versions of GKE on VMware have been updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later:

• 1.28.200
• 1.16.6
• 1.15.9

Patch versions and a severity assessment for GKE on VMware are in progress. We'll update this bulletin with that information when it's available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

What should I do?

2024-05-06 Update: The following versions of GKE on AWS have been updated with patches for CVE-2024-21626:

• 1.28.5-gke.1200
• 1.27.10-gke.500
• 1.26.13-gke.400

Patch versions and a severity assessment for GKE on AWS are in progress. We'll update this bulletin with that information when it's available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

What should I do?

2024-05-06 Update: The following versions of GKE on Azure have been updated with patches for CVE-2024-21626:

• 1.28.5-gke.1200
• 1.27.10-gke.500
• 1.26.13-gke.400

Patch versions and a severity assessment for GKE on Azure are in progress. We'll update this bulletin with that information when it's available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods might be able to gain full access to the node filesystem.

What should I do?

2024-04-02 Update: The following versions of GKE on Bare Metal have been updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later:

• 1.28.200-gke.118
• 1.16.6
• 1.15.10

Patch versions and a severity assessment for GKE on Bare Metal are in progress. We'll update this bulletin with that information when it's available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6817

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-02-07 Update: The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.25.16-gke.1458000
• 1.26.13-gke.1143000
• 1.27.10-gke.1152000
• 1.28.6-gke.1276000
• 1.29.1-gke.1221000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.25.16-gke.1229000
• 1.26.12-gke.1087000
• 1.27.3-gke.1001003
• 1.28.5-gke.1194000
• 1.29.0-gke.1340000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6817

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6817

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6817

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6817

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

2024-01-26 Update: Security research that found a small number of GKE clusters with a customer-created misconfiguration involving the system:authenticated group has now been published. The researcher's blog post refers to 1,300 clusters with some misconfigured bindings, and 108 with high privileges. We have worked closely with impacted customers to notify them and assist with removing their misconfigured bindings.

We have identified several clusters where users have granted Kubernetes privileges to the system:authenticated group, which includes all users with a Google account. These types of bindings are not recommended, as they violate the principle of least privilege and grant access to very large groups of users. See guidance under 'What should I do' for instructions on how to find these types of bindings.

Recently, a security researcher reported findings of clusters with RBAC misconfigurations through our vulnerability reporting program.

Google's approach to authentication is to make authenticating to Google Cloud and GKE as simple and secure as possible without adding complex configuration steps. Authentication just tells us who the user is; Authorization is where access is determined. So the system:authenticated group in GKE that contains all users authenticated through Google's identity provider is working as intended and functions in the same way as the IAM allAuthenticatedUsers identifier.

With this in mind we've taken several steps to reduce the risk of users making authorization errors with the Kubernetes built-in users and groups, including system:anonymous, system:authenticated, and system:unauthenticated. All of these users/groups represent a risk to the cluster if granted permissions. We discussed some of the attacker activity targeting RBAC misconfigurations and available defenses at Kubecon in November 2023.

To protect users from accidental authorization errors with these system users/groups, we have:

• By default blocked new bindings of the highly privileged ClusterRole cluster-admin to User system:anonymous, Group system:authenticated, or Group system:unauthenticated in GKE version 1.28.
• Built detection rules into Event Threat Detection (GKE_CONTROL_PLANE_CREATE_SENSITIVE_BINDING) as part of Security Command Center.
• Built configurable prevention rules into Policy Controller with K8sRestrictRoleBindings.
• Sent email notifications to all GKE users with bindings to these users/groups asking them to review their configuration.
• Built network authorization features and made recommendations to restrict network access to clusters as a first layer of defense.
• Raised awareness about this issue through a talk at Kubecon in November 2023.

Clusters that apply authorized networks restrictions have a first layer of defense: they cannot be attacked directly from the Internet. But we still recommend removing these bindings for defense in depth and to guard against errors in network controls.
Note there are a number of cases where bindings to Kubernetes system users or groups are used intentionally: e.g. for kubeadm bootstrapping, the Rancher dashboard and Bitnami sealed secrets. We have confirmed with those software vendors that those bindings are working as intended.

We are investigating ways we can further protect against user RBAC misconfiguration with these system users/groups through prevention and detection.

What should I do?

To prevent any new bindings of cluster-admin to User system:anonymous, Group system:authenticated, or Group system:unauthenticated users can upgrade to GKE v1.28 or later (release notes), where creation of those bindings are blocked.

Existing bindings should be reviewed following this guidance.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

• CVE-2023-6111

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.7-gke.1063001
• 1.28.5-gke.1194000
• 1.29.0-gke.1340000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

• CVE-2023-6111

What should I do?

2024-02-20 Update: The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later: 1.28.100

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

• CVE-2023-6111

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

• CVE-2023-6111

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

• CVE-2023-6111

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3609

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1014001
• 1.27.3-gke.1001002
• 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.26.5-gke.1021001
• 1.27.3-gke.1001002

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3609

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3609

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3609

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3609

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3389

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1014001
• 1.27.3-gke.1001002
• 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1014001
• 1.27.3-gke.1001002
• 1.28.1-gke.1002003

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3389

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3389

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3389

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3389

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3090

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.12-gke.900
• 1.26.5-gke.1014001
• 1.27.4-gke.400
• 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.12-gke.900
• 1.26.5-gke.1014001
• 1.27.4-gke.900
• 1.28.1-gke.1050000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3090

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3090

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3090

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3090

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3390

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.4-gke.400
• 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.12-gke.900
• 1.26.5-gke.1014001
• 1.27.4-gke.900
• 1.28.1-gke.1050000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3390

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3390

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3390

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3390

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Cloud Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster. The issues with Fluent Bit and Cloud Service Mesh have been mitigated and fixes are now available. These vulnerabilities are not exploitable on their own in GKE and require an initial compromise. We are not aware of any instances of exploitation of these vulnerabilities.

These issues were reported through our Vulnerability Reward Program.

What should I do?

The following versions of GKE have been updated with code to fix these vulnerabilities in Fluent Bit and for users of managed Cloud Service Mesh. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions or later:

• 1.25.16-gke.1020000
• 1.26.10-gke.1235000
• 1.27.7-gke.1293000
• 1.28.4-gke.1083000

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your specific release channel

If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):

• 1.17.8-asm.8
• 1.18.6-asm.2
• 1.19.5-asm.4

What vulnerabilities are being addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to compromise the Fluent Bit logging container. We are not aware of any existing vulnerabilities in Fluent Bit that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future

GKE uses Fluent Bit to process logs for workloads running on clusters. Fluent Bit on GKE was also configured to collect logs for Cloud Run workloads. The volume mount configured to collect those logs gave Fluent Bit access to Kubernetes service account tokens for other Pods running on the node. The researcher used this access to discover a highly privileged service account token for clusters that have Cloud Service Mesh enabled.

Cloud Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges

We have removed Fluent Bit's access to the service account tokens and have redesigned the functionality of Cloud Service Mesh to remove excess privileges.

Only GKE on VMware clusters using Cloud Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):

• 1.17.8-asm.8
• 1.18.6-asm.2
• 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Cloud Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Cloud Service Mesh to remove excessive privileges.

Only GKE on AWS clusters using Cloud Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):

• 1.17.8-asm.8
• 1.18.6-asm.2
• 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Cloud Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Cloud Service Mesh to remove excessive privileges.

Only GKE on Azure clusters using Cloud Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):

• 1.17.8-asm.8
• 1.18.6-asm.2
• 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Cloud Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Cloud Service Mesh to remove excessive privileges.

Only GKE on Bare Metal clusters using Cloud Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):

• 1.17.8-asm.8
• 1.18.6-asm.2
• 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Anthos Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Cloud Service Mesh to remove excessive privileges.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5717

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-01-22 Update: The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.17-gke.2472000
• 1.25.16-gke.1268000
• 1.26.12-gke.1111000
• 1.27.9-gke.1092000
• 1.28.5-gke.1217000
• 1.29.0-gke.138100

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.17-gke.2113000
• 1.25.14-gke.1421000
• 1.25.15-gke.1083000
• 1.26.10-gke.1073000
• 1.27.7-gke.1088000
• 1.28.3-gke.1203000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5717

What should I do?

2024-03-04 Update: The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later:

• 1.28.200
• 1.16.5
• 1.15.8

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5717

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5717

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5717

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5197

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.25.13-gke.1002003
• 1.26.9-gke.1514000
• 1.27.6-gke.1513000
• 1.28.2-gke.1164000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.16-gke.1005001
• 1.25.13-gke.1002003
• 1.26.9-gke.1548000
• 1.27.7-gke.1039000
• 1.28.3-gke.1061000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5197

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5197

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5197

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5197

What should I do?

There is no action required. GKE on Bare Metal aren't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4147

GKE Standard clusters are impacted. GKE Autopilot clusters aren't impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2023-11-15 Update: You only need to upgrade to one of the patched versions that are listed in this bulletin if you use that minor version in your nodes. For example, if you use GKE version 1.27, you should upgrade to the corresponding patched version. However, if you use GKE version 1.24, you don't need to upgrade to a patched version.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.27.5-gke.200
• 1.28.2-gke.1157000

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.25.14-gke.1421000
• 1.26.9-gke.1437000
• 1.27.6-gke.1248000
• 1.28.2-gke.1157000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patched version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4147

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4147

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4147

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4147

What should I do?

There is no action required. GKE on Bare Metal aren't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4004

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-12-05 Update: Some GKE versions were previously missing. The following is an updated list of GKE versions that you can update your Container-Optimized OS to:

• 1.24.17-gke.200 or later
• 1.25.13-gke.200 or later
• 1.26.8-gke.200 or later
• 1.27.4-gke.2300 or later
• 1.28.1-gke.1257000 or later

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.27.4-gke.2300
• 1.28.1-gke.1257000

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.24.14-gke.1027001
• 1.25.13-gke.700
• 1.26.8-gke.700
• 1.27.5-gke.700
• 1.28.1-gke.1050000

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4004

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4004

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4004

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4004

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4921

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.24.14-gke.1027001
• 1.25.14-gke.1351000
• 1.26.9-gke.1345000
• 1.27.6-gke.1389000

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.24.17-gke.2186000
• 1.25.15-gke.1016000
• 1.26.9-gke.1548000
• 1.27.6-gke.1551000
• 1.28.2-gke.1256000

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4921

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4921

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4921

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4921

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.24.14-gke.1027001
• 1.25.14-gke.1351000
• 1.26.9-gke.1345000
• 1.27.5-gke.1647000

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.24.17-gke.2186000
• 1.25.15-gke.1016000
• 1.26.9-gke.1548000
• 1.27.6-gke.1551000
• 1.28.2-gke.1256000

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.24.14-gke.1027001
• 1.25.14-gke.1351000
• 1.26.9-gke.1345000
• 1.27.6-gke.1389000

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.24.17-gke.2186000
• 1.25.15-gke.1016000
• 1.26.9-gke.1548000
• 1.27.6-gke.1551000
• 1.28.2-gke.1256000

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4015

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.27.5-gke.1647000

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.24.14-gke.1027001
• 1.25.13-gke.700
• 1.26.8-gke.700
• 1.27.5-gke.700
• 1.28.1-gke.1050000

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4015

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4015

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4015

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4015

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4206
• CVE-2023-4207
• CVE-2023-4208
• CVE-2023-4128

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.24.14-gke.1027001
• 1.25.13-gke.1008000
• 1.26.8-gke.1647000
• 1.27.5-gke.200

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.24.14-gke.1027001
• 1.25.13-gke.1706000
• 1.26.8-gke.1647000
• 1.27.5-gke.1648000
• 1.28.1-gke.1050000

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4206
• CVE-2023-4207
• CVE-2023-4208
• CVE-2023-4128

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4206
• CVE-2023-4207
• CVE-2023-4208
• CVE-2023-4128

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4206
• CVE-2023-4207
• CVE-2023-4208
• CVE-2023-4128

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4206
• CVE-2023-4207
• CVE-2023-4208
• CVE-2023-4128

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3777

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN. GKE Sandbox workloads are also not impacted.

Autopilot clusters are impacted.

Clusters that use GKE Sandbox are impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.24.16-gke.2200
• 1.25.12-gke.2200
• 1.26.7-gke.2200
• 1.27.4-gke.2300

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.24.17-gke.700
• 1.25.13-gke.700
• 1.26.8-gke.700
• 1.27.5-gke.700
• 1.28.0-gke.100

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3777

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3777

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3777

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3777

What should I do?

There is no action required. GKE on Bare Metal is not affected as it does not bundle an operating system in its distribution.

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. GKE clusters with authorized networks configured are protected by limiting network access, but all other clusters are affected.

What should I do?

2023-11-09 Update: We have released new versions of GKE that include the Go and Kubernetes security patches, which you can update your clusters to now. In the coming weeks we will release additional changes to the GKE control plane to further mitigate this issue.

The following GKE versions have been updated with patches for CVE-2023-44487 and CVE-2023-39325:

• 1.24.17-gke.2155000
• 1.25.14-gke.1474000
• 1.26.10-gke.1024000
• 1.27.7-gke.1038000
• 1.28.3-gke.1090000

We recommend that you apply the following mitigation as soon as possible and upgrade to the latest patched version when available.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane, and also make the patches visible within GKE GKE security posture when available for your cluster. To receive a Pub/Sub notification when a patch is available for your channel, enable cluster notifications.

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

Mitigate by configuring authorized networks for control plane access:

You can add authorized networks for existing clusters. To learn more see, authorized network for existing clusters.

In addition to the authorized networks you add, there are preset IP addresses that can access the GKE control plane. To learn more about these addresses, see Access to control plane endpoints. The following items summarize the cluster isolation:

• Private clusters with --master-authorized-networks and PSC-based clusters with --master-authorized-networks and --no-enable-google-cloud configured are the most isolated.
• Legacy public clusters with --master-authorized-networks and PSC-based clusters with --master-authorized-networks and --enable-google-cloud (default) configured are additionally accessible by the following:
  • Public IP addresses of all Compute Engine VMs in Google Cloud
  • Google Cloud platform IP addresses

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on GKE control plane nodes.