Security bulletins

All security bulletins for the following products are described in this page:

  • Google Kubernetes Engine (GKE)
  • GKE on VMware
  • GKE on AWS
  • GKE on Azure
  • GKE on Bare Metal

Vulnerabilities are often kept secret under embargo until affected parties have had a chance to address them. In these cases, the product's release notes will refer to "security updates" until the embargo has been lifted. At that point the notes will be updated to reflect the vulnerability the patch addressed.

When GKE issues a security bulletin that directly correlates to your cluster configuration or version, we might send you a SecurityBulletinEvent cluster notification that provides information about the vulnerability and actions that you can take, if applicable. For information about setting up cluster notifications, refer to Cluster notifications.

For more information on how Google manages security vulnerabilities and patches for GKE and GKE Enterprise, see Security patching.

GKE and GKE Enterprise platforms don't use components such as ingress-nginx and the CRI-O container runtime, and are unaffected by any vulnerabilities in those components. If you install components from other sources, refer to the security updates and patching advice of those components at the source.

Use this XML feed to subscribe to security bulletins for this page. Subscribe

GCP-2024-013

Published: 2024-02-23
Reference: CVE-2023-3610

GKE

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2023-3610

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

  • 1.27.3-gke.1001002
  • 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

  • 1.24.14-gke.1027001
  • 1.25.10-gke.1027001
  • 1.26.5-gke.1021001
  • 1.27.3-gke.1001002

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2023-3610

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2023-3610

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2023-3610

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2023-3610

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

None

GCP-2024-012

Published: 2024-02-20
Reference: CVE-2024-0193

GKE

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-0193

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

  • 1.27.10-gke.1149000
  • 1.28.6-gke.1274000
  • 1.29.1-gke.1388000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

  • 1.25.16-gke.1412001
  • 1.26.6-gke.1017002
  • 1.27.10-gke.1055001
  • 1.28.6-gke.1276000
  • 1.29.1-gke.1392000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-0193

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-0193

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-0193

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-0193

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

None

GCP-2024-011

Published: 2024-02-15
Reference: CVE-2023-6932

GKE

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2023-6932

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

  • 1.24.17-gke.2364001
  • 1.25.16-gke.1229000
  • 1.26.6-gke.1017002
  • 1.27.3-gke.1001003
  • 1.28.5-gke.1194000
  • 1.29.0-gke.1340000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

  • 1.25.16-gke.1412001
  • 1.26.6-gke.1017002
  • 1.27.10-gke.1055001
  • 1.28.6-gke.1276000
  • 1.29.1-gke.1221000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2023-6932

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2023-6932

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2023-6932

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2023-6932

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

None

GCP-2024-010

Published: 2024-02-14
Reference: CVE-2023-6931

GKE

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-6931

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

  • 1.24.17-gke.2364001
  • 1.25.16-gke.1229000
  • 1.26.6-gke.1017002
  • 1.27.3-gke.1001003
  • 1.28.5-gke.1194000
  • 1.29.0-gke.1340000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

  • 1.25.16-gke.1412001
  • 1.26.6-gke.1017002
  • 1.27.10-gke.1055001
  • 1.28.6-gke.1276000
  • 1.29.1-gke.1221000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-6931

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-6931

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-6931

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-6931

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

None

GCP-2024-008

Published: 2024-02-12
Reference: CVE-2023-5528

GKE

Description Severity

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE Standard clusters running Windows Server nodes and using an in-tree storage plugin might be affected.

GKE Autopilot clusters and GKE node pools using GKE Sandbox are not affected because they do not support Windows Server nodes.

What should I do?

Determine if you have Windows Server nodes in use on your clusters:

kubectl get nodes -l kubernetes.io/os=windows

Check audit logs for evidence of exploitation. Kubernetes audit logs can be audited to determine if this vulnerability is being exploited. Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation.

Update your GKE cluster and node pools to a patched version. The following versions of GKE have been updated to fix this vulnerability. Even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Windows Server node pools to one of the following GKE versions or later:

  • 1.24.17-gke.6100
  • 1.25.15-gke.2000
  • 1.26.10-gke.2000
  • 1.27.7-gke.2000
  • 1.28.3-gke.1600

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

What vulnerabilities are addressed by this patch?

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

High

GKE on VMware

Description Severity

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on VMware clusters running Windows Server nodes and using an in-tree storage plugin might be affected.

What should I do?

Determine if you have Windows Server nodes in use on your clusters:

kubectl get nodes -l kubernetes.io/os=windows

Check audit logs for evidence of exploitation. Kubernetes audit logs can be audited to determine if this vulnerability is being exploited. Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation.

Update your GKE on VMware cluster and node pools to a patched version. The following versions of GKE on VMware have been updated to fix this vulnerability. Even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Windows Server node pools to one of the following GKE on VMware versions or later:

  • 1.28.100-gke.131
  • 1.16.5-gke.28
  • 1.15.8-gke.41

What vulnerabilities are addressed by this patch?

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

High

GKE on AWS

Description Severity

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on AWS clusters aren't affected.

What should I do?

No action required

None

GKE on Azure

Description Severity

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on Azure clusters aren't affected.

What should I do?

No action required

None

GKE on Bare Metal

Description Severity

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on Bare Metal clusters aren't affected.

What should I do?

No action required

None

GCP-2024-005

Published: 2024-01-31
Updated: 2024-02-15
Reference: CVE-2024-21626

2024-02-15 Update: Clarified that the 1.25 and 1.26 Ubuntu patch versions in the 2024-02-14 update might cause unhealthy nodes.
2024-02-14 Update: Added patch versions for Ubuntu
2024-02-06 Update: Added patch versions for Container-Optimized OS.

GKE

Updated: 2024-02-15

Description Severity

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-02-15 Update: Due to an issue, the following Ubuntu patch versions from the 2024-02-14 update might cause your nodes to enter an unhealthy state. Don't upgrade to the following patch versions. We'll update this bulletin when newer patch versions for Ubuntu are available for 1.25 and 1.26.

  • 1.25.16-gke.1497000
  • 1.26.13-gke.1189000

If you already upgraded to one of these patch versions, manually downgrade your node pool to an earlier version in your release channel.


2024-02-14 Update: The following versions of GKE have been updated with code to fix this vulnerability in Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:

  • 1.25.16-gke.1497000
  • 1.26.13-gke.1189000
  • 1.27.10-gke.1207000
  • 1.28.6-gke.1369000
  • 1.29.1-gke.1575000

2024-02-06 Update: The following versions of GKE have been updated with code to fix this vulnerability in Container-Optimized OS. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Container-Optimized OS node pools to one of the following GKE versions or later:

  • 1.25.16-gke.1460000
  • 1.26.13-gke.1144000
  • 1.27.10-gke.1152000
  • 1.28.6-gke.1289000
  • 1.29.1-gke.1425000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.


We're updating GKE with code to fix this vulnerability. We'll update this bulletin when patch versions are available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

High

GKE on VMware

Description Severity

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

What should I do?

Patch versions and a severity assessment for GKE on VMware are in progress. We'll update this bulletin with that information when it's available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

High

GKE on AWS

Description Severity

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

What should I do?

Patch versions and a severity assessment for GKE on AWS are in progress. We'll update this bulletin with that information when it's available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

High

GKE on Azure

Description Severity

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

What should I do?

Patch versions and a severity assessment for GKE on Azure are in progress. We'll update this bulletin with that information when it's available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

High

GKE on Bare Metal

Description Severity

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods might be able to gain full access to the node filesystem.

What should I do?

Patch versions and a severity assessment for GKE on Bare Metal are in progress. We'll update this bulletin with that information when it's available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

High

GCP-2024-004

Published: 2024-01-24
Updated: 2024-02-07
Reference: CVE-2023-6817

2024-02-07 Update: Added patch versions for Ubuntu.

GKE

Updated: 2024-02-07

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-6817

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-02-07 Update: The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

  • 1.25.16-gke.1458000
  • 1.26.13-gke.1143000
  • 1.27.10-gke.1152000
  • 1.28.6-gke.1276000
  • 1.29.1-gke.1221000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

  • 1.25.16-gke.1229000
  • 1.26.12-gke.1087000
  • 1.27.3-gke.1001003
  • 1.28.5-gke.1194000
  • 1.29.0-gke.1340000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-6817

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-6817

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-6817

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-6817

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

None

GCP-2024-003

Published: 2024-01-19
Updated: 2024-01-26
2024-01-26 Update: Clarified the number of affected clusters and the actions that we took to help mitigate the impact.

GKE

Updated: 2024-01-26

Description Severity

2024-01-26 Update: Security research that found a small number of GKE clusters with a customer-created misconfiguration involving the system:authenticated group has now been published. The researcher's blog post refers to 1,300 clusters with some misconfigured bindings, and 108 with high privileges. We have worked closely with impacted customers to notify them and assist with removing their misconfigured bindings.


We have identified several clusters where users have granted Kubernetes privileges to the system:authenticated group, which includes all users with a Google account. These types of bindings are not recommended, as they violate the principle of least privilege and grant access to very large groups of users. See guidance under 'What should I do' for instructions on how to find these types of bindings.

Recently, a security researcher reported findings of clusters with RBAC misconfigurations through our vulnerability reporting program.

Google's approach to authentication is to make authenticating to Google Cloud and GKE as simple and secure as possible without adding complex configuration steps. Authentication just tells us who the user is; Authorization is where access is determined. So the system:authenticated group in GKE that contains all users authenticated through Google's identity provider is working as intended and functions in the same way as the IAM allAuthenticatedUsers identifier.

With this in mind we've taken several steps to reduce the risk of users making authorization errors with the Kubernetes built-in users and groups, including system:anonymous, system:authenticated, and system:unauthenticated. All of these users/groups represent a risk to the cluster if granted permissions. We discussed some of the attacker activity targeting RBAC misconfigurations and available defenses at Kubecon in November 2023.

To protect users from accidental authorization errors with these system users/groups, we have:

  • By default blocked new bindings of the highly privileged ClusterRole cluster-admin to User system:anonymous, Group system:authenticated, or Group system:unauthenticated in GKE version 1.28.
  • Built detection rules into Event Threat Detection (GKE_CONTROL_PLANE_CREATE_SENSITIVE_BINDING) as part of Security Command Center.
  • Built configurable prevention rules into Policy Controller with K8sRestrictRoleBindings.
  • Sent email notifications to all GKE users with bindings to these users/groups asking them to review their configuration.
  • Built network authorization features and made recommendations to restrict network access to clusters as a first layer of defense.
  • Raised awareness about this issue through a talk at Kubecon in November 2023.

Clusters that apply authorized networks restrictions have a first layer of defense: they cannot be attacked directly from the Internet. But we still recommend removing these bindings for defense in depth and to guard against errors in network controls.
Note there are a number of cases where bindings to Kubernetes system users or groups are used intentionally: e.g. for kubeadm bootstrapping, the Rancher dashboard and Bitnami sealed secrets. We have confirmed with those software vendors that those bindings are working as intended.

We are investigating ways we can further protect against user RBAC misconfiguration with these system users/groups through prevention and detection.

What should I do?

To prevent any new bindings of cluster-admin to User system:anonymous, Group system:authenticated, or Group system:unauthenticated users can upgrade to GKE v1.28 or later (release notes), where creation of those bindings are blocked.

Existing bindings should be reviewed following this guidance.

Medium

GKE on VMware

No updates at this time.

GKE on AWS

No updates at this time.

GKE on Azure

No updates at this time.

GKE on Bare Metal

No updates at this time.

GCP-2024-002

Published: 2024-01-17
Updated: 2024-02-20
Reference: CVE-2023-6111

2024-02-20 Update: Added patch versions for GKE on VMware.

GKE

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

  • CVE-2023-6111

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

  • 1.27.7-gke.1063001
  • 1.28.5-gke.1194000
  • 1.29.0-gke.1340000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

High

GKE on VMware

Updated: 2024-02-20

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

  • CVE-2023-6111

What should I do?

2024-02-20 Update: The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later: 1.28.100


Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

  • CVE-2023-6111

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

  • CVE-2023-6111

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

  • CVE-2023-6111

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

None

GCP-2023-051

Published: 2023-12-28
Reference: CVE-2023-3609

GKE

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3609

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

  • 1.24.14-gke.1027001
  • 1.25.10-gke.1027001
  • 1.26.5-gke.1014001
  • 1.27.3-gke.1001002
  • 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

  • 1.24.14-gke.1027001
  • 1.26.5-gke.1021001
  • 1.27.3-gke.1001002

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3609

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3609

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3609

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3609

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

None

GCP-2023-050

Published: 2023-12-27
Reference: CVE-2023-3389

GKE

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3389

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

  • 1.24.14-gke.1027001
  • 1.25.10-gke.1027001
  • 1.26.5-gke.1014001
  • 1.27.3-gke.1001002
  • 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

  • 1.24.14-gke.1027001
  • 1.25.10-gke.1027001
  • 1.26.5-gke.1014001
  • 1.27.3-gke.1001002
  • 1.28.1-gke.1002003

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3389

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3389

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3389

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3389

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

None

GCP-2023-049

Published: 2023-12-20
Reference: CVE-2023-3090

GKE

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3090

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

  • 1.24.14-gke.1027001
  • 1.25.12-gke.900
  • 1.26.5-gke.1014001
  • 1.27.4-gke.400
  • 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

  • 1.24.14-gke.1027001
  • 1.25.12-gke.900
  • 1.26.5-gke.1014001
  • 1.27.4-gke.900
  • 1.28.1-gke.1050000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3090

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3090

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3090

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3090

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

None

GCP-2023-048

Published: 2023-12-15
Updated: 2023-12-21
Reference: CVE-2023-3390

2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.

GKE

Updated: 2023-12-21

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3390

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

  • 1.27.4-gke.400
  • 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

  • 1.24.14-gke.1027001
  • 1.25.12-gke.900
  • 1.26.5-gke.1014001
  • 1.27.4-gke.900
  • 1.28.1-gke.1050000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3390

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3390

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3390

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3390

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

None

GCP-2023-047

Published: 2023-12-14

GKE

Description Severity

An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster. The issues with Fluent Bit and Anthos Service Mesh have been mitigated and fixes are now available. These vulnerabilities are not exploitable on their own in GKE and require an initial compromise. We are not aware of any instances of exploitation of these vulnerabilities.

These issues were reported through our Vulnerability Reward Program.

What should I do?

The following versions of GKE have been updated with code to fix these vulnerabilities in Fluent Bit and for users of managed Anthos Service Mesh. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions or later:

  • 1.25.16-gke.1020000
  • 1.26.10-gke.1235000
  • 1.27.7-gke.1293000
  • 1.28.4-gke.1083000

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your specific release channel

If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):

  • 1.17.8-asm.8
  • 1.18.6-asm.2
  • 1.19.5-asm.4

What vulnerabilities are being addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to compromise the Fluent Bit logging container. We are not aware of any existing vulnerabilities in Fluent Bit that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future

GKE uses Fluent Bit to process logs for workloads running on clusters. Fluent Bit on GKE was also configured to collect logs for Cloud Run workloads. The volume mount configured to collect those logs gave Fluent Bit access to Kubernetes service account tokens for other Pods running on the node. The researcher used this access to discover a highly privileged service account token for clusters that have Anthos Service Mesh enabled.

Anthos Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges

We have removed Fluent Bit's access to the service account tokens and have redesigned the functionality of Anthos Service Mesh to remove excess privileges.

Medium

GKE on VMware

Description Severity

Only GKE on VMware clusters using Anthos Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):

  • 1.17.8-asm.8
  • 1.18.6-asm.2
  • 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Anthos Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Anthos Service Mesh to remove excessive privileges.

Medium

GKE on AWS

Description Severity

Only GKE on AWS clusters using Anthos Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):

  • 1.17.8-asm.8
  • 1.18.6-asm.2
  • 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Anthos Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Anthos Service Mesh to remove excessive privileges.

Medium

GKE on Azure

Description Severity

Only GKE on Azure clusters using Anthos Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):

  • 1.17.8-asm.8
  • 1.18.6-asm.2
  • 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Anthos Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Anthos Service Mesh to remove excessive privileges.

Medium

GKE on Bare Metal

Description Severity

Only GKE on Bare Metal clusters using Anthos Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):

  • 1.17.8-asm.8
  • 1.18.6-asm.2
  • 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Anthos Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Anthos Service Mesh to remove excessive privileges.

Medium

GCP-2023-046

Published: 2023-11-22
Updated: 2024-01-22
Reference: CVE-2023-5717

2024-01-22 Update: Added Ubuntu patch versions.

GKE

Updated: 2024-01-22

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-5717

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-01-22 Update: The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

  • 1.24.17-gke.2472000
  • 1.25.16-gke.1268000
  • 1.26.12-gke.1111000
  • 1.27.9-gke.1092000
  • 1.28.5-gke.1217000
  • 1.29.0-gke.138100

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

  • 1.24.17-gke.2113000
  • 1.25.14-gke.1421000
  • 1.25.15-gke.1083000
  • 1.26.10-gke.1073000
  • 1.27.7-gke.1088000
  • 1.28.3-gke.1203000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-5717

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-5717

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-5717

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-5717

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

None

GCP-2023-045

Published: 2023-11-20
Updated: 2023-12-21
Reference: CVE-2023-5197

2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.

GKE

Updated: 2023-12-21

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-5197

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

  • 1.25.13-gke.1002003
  • 1.26.9-gke.1514000
  • 1.27.6-gke.1513000
  • 1.28.2-gke.1164000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

  • 1.24.16-gke.1005001
  • 1.25.13-gke.1002003
  • 1.26.9-gke.1548000
  • 1.27.7-gke.1039000
  • 1.28.3-gke.1061000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-5197

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-5197

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-5197

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-5197

What should I do?

There is no action required. GKE on Bare Metal aren't affected as it does not bundle an operating system in its distribution.

None

GCP-2023-042

Published: 2023-11-13
Updated: 2023-11-15
Reference: CVE-2023-4147

2023-11-15 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patched version for GKE.

GKE

Updated: 2023-11-15

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4147

GKE Standard clusters are impacted. GKE Autopilot clusters aren't impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2023-11-15 Update: You only need to upgrade to one of the patched versions that are listed in this bulletin if you use that minor version in your nodes. For example, if you use GKE version 1.27, you should upgrade to the corresponding patched version. However, if you use GKE version 1.24, you don't need to upgrade to a patched version.


Upgrade your Container-Optimized OS node pools to one of the following versions or later:

  • 1.27.5-gke.200
  • 1.28.2-gke.1157000

Upgrade your Ubuntu node pools to one of the following versions or later:

  • 1.25.14-gke.1421000
  • 1.26.9-gke.1437000
  • 1.27.6-gke.1248000
  • 1.28.2-gke.1157000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patched version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4147

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4147

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4147

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4147

What should I do?

There is no action required. GKE on Bare Metal aren't affected as it does not bundle an operating system in its distribution.

None

GCP-2023-041

Published: 2023-11-08
Updated: 2023-11-21, 2023-12-05, 2023-12-21
Reference: CVE-2023-4004

2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.

2023-12-05 Update: Added additional GKE versions for Container-Optimized OS node pools.

2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.

GKE

Updated: 2023-11-21, 2023-12-05, 2023-12-21

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4004

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-12-05 Update: Some GKE versions were previously missing. The following is an updated list of GKE versions that you can update your Container-Optimized OS to:

  • 1.24.17-gke.200 or later
  • 1.25.13-gke.200 or later
  • 1.26.8-gke.200 or later
  • 1.27.4-gke.2300 or later
  • 1.28.1-gke.1257000 or later

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

  • 1.27.4-gke.2300
  • 1.28.1-gke.1257000

Upgrade your Ubuntu node pools to one of the following versions or later:

  • 1.24.14-gke.1027001
  • 1.25.13-gke.700
  • 1.26.8-gke.700
  • 1.27.5-gke.700
  • 1.28.1-gke.1050000
High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4004

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4004

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4004

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4004

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

None

GCP-2023-040

Published: 2023-11-06
Updated: 2023-11-21, 2023-12-21
Reference: CVE-2023-4921

2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.

2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.

GKE

Updated: 2023-11-21, 2023-12-21

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4921

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

  • 1.24.14-gke.1027001
  • 1.25.14-gke.1351000
  • 1.26.9-gke.1345000
  • 1.27.6-gke.1389000

Upgrade your Ubuntu node pools to one of the following versions or later:

  • 1.24.17-gke.2186000
  • 1.25.15-gke.1016000
  • 1.26.9-gke.1548000
  • 1.27.6-gke.1551000
  • 1.28.2-gke.1256000
High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4921

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4921

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4921

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4921

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

None

GCP-2023-039

Published: 2023-11-06
Updated: 2023-11-21, 2023-11-16
Reference: CVE-2023-4622

2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.

2023-11-16 Update: The vulnerability associated with this security bulletin is CVE-2023-4622. CVE-2023-4623 was incorrectly listed as the vulnerability in a previous version of the security bulletin.

GKE

Updated: 2023-11-21, 2023-11-16

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4623

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

  • 1.24.14-gke.1027001
  • 1.25.14-gke.1351000
  • 1.26.9-gke.1345000
  • 1.27.5-gke.1647000

Upgrade your Ubuntu node pools to one of the following versions or later:

  • 1.24.17-gke.2186000
  • 1.25.15-gke.1016000
  • 1.26.9-gke.1548000
  • 1.27.6-gke.1551000
  • 1.28.2-gke.1256000
High

GKE on VMware

Updated: 2023-11-16

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4623

What should I do?

Pending

GKE on AWS

Updated: 2023-11-16

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4623

What should I do?

Pending

GKE on Azure

Updated: 2023-11-16

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4623

What should I do?

Pending

GKE on Bare Metal

Updated: 2023-11-16

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4623

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

None

GCP-2023-038

Published: 2023-11-06
Updated: 2023-11-21, 2023-12-21
Reference: CVE-2023-4623

2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.

2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.

GKE

Updated: 2023-11-21, 2023-12-21

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4623

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

  • 1.24.14-gke.1027001
  • 1.25.14-gke.1351000
  • 1.26.9-gke.1345000
  • 1.27.6-gke.1389000

Upgrade your Ubuntu node pools to one of the following versions or later:

  • 1.24.17-gke.2186000
  • 1.25.15-gke.1016000
  • 1.26.9-gke.1548000
  • 1.27.6-gke.1551000
  • 1.28.2-gke.1256000
High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4623

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4623

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4623

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4623

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

None

GCP-2023-037

Published: 2023-11-06
Updated: 2023-11-21, 2023-12-21
Reference: CVE-2023-4015

2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.

2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.

GKE

Updated: 2023-11-21, 2023-12-21

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4015

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

  • 1.27.5-gke.1647000

Upgrade your Ubuntu node pools to one of the following versions or later:

  • 1.24.14-gke.1027001
  • 1.25.13-gke.700
  • 1.26.8-gke.700
  • 1.27.5-gke.700
  • 1.28.1-gke.1050000
High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4015

What should I do?

Pending

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4015

What should I do?

Pending

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4015

What should I do?

Pending

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4015

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

None

GCP-2023-035

Published: 2023-10-26
Updated: 2023-11-21, 2023-12-21
Reference: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208, CVE-2023-4128

2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.

2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.

GKE

Updated: 2023-11-21, 2023-12-21

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4206
  • CVE-2023-4207
  • CVE-2023-4208
  • CVE-2023-4128

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

  • 1.24.14-gke.1027001
  • 1.25.13-gke.1008000
  • 1.26.8-gke.1647000
  • 1.27.5-gke.200

Upgrade your Ubuntu node pools to one of the following versions or later:

  • 1.24.14-gke.1027001
  • 1.25.13-gke.1706000
  • 1.26.8-gke.1647000
  • 1.27.5-gke.1648000
  • 1.28.1-gke.1050000
High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4206
  • CVE-2023-4207
  • CVE-2023-4208
  • CVE-2023-4128

What should I do?

High

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4206
  • CVE-2023-4207
  • CVE-2023-4208
  • CVE-2023-4128

What should I do?

High

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4206
  • CVE-2023-4207
  • CVE-2023-4208
  • CVE-2023-4128

What should I do?

High

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-4206
  • CVE-2023-4207
  • CVE-2023-4208
  • CVE-2023-4128

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

High

GCP-2023-033

Published: 2023-10-24
Updated: 2023-11-21, 2023-12-21
Reference: CVE-2023-3777

2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted and GKE Sandbox workloads are not impacted.

2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.

GKE

Updated: 2023-11-21, 2023-12-21

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3777

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN. GKE Sandbox workloads are also not impacted.

Autopilot clusters are impacted.

Clusters that use GKE Sandbox are impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

  • 1.24.16-gke.2200
  • 1.25.12-gke.2200
  • 1.26.7-gke.2200
  • 1.27.4-gke.2300

Upgrade your Ubuntu node pools to one of the following versions or later:

  • 1.24.17-gke.700
  • 1.25.13-gke.700
  • 1.26.8-gke.700
  • 1.27.5-gke.700
  • 1.28.0-gke.100
High

GKE on VMware

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3777

What should I do?

GKE on AWS

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3777

What should I do?

GKE on Azure

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3777

What should I do?

GKE on Bare Metal

Description Severity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-3777

What should I do?

There is no action required. GKE on Bare Metal is not affected as it does not bundle an operating system in its distribution.

GCP-2023-030

Published: 2023-10-10
Updated: 2024-02-14
Reference: CVE-2023-44487CVE-2023-39325

2024-02-14 Update: Added patch versions for GKE on VMware
2023-11-09 Update: Added CVE-2023-39325. Updated GKE versions with the latest patches for CVE-2023-44487 and CVE-2023-39325.

GKE

Updated: 2023-11-09

Description Severity

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. GKE clusters with authorized networks configured are protected by limiting network access, but all other clusters are affected.

What should I do?

2023-11-09 Update: We have released new versions of GKE that include the Go and Kubernetes security patches, which you can update your clusters to now. In the coming weeks we will release additional changes to the GKE control plane to further mitigate this issue.

The following GKE versions have been updated with patches for CVE-2023-44487 and CVE-2023-39325:

  • 1.24.17-gke.2155000
  • 1.25.14-gke.1474000
  • 1.26.10-gke.1024000
  • 1.27.7-gke.1038000
  • 1.28.3-gke.1090000

We recommend that you apply the following mitigation as soon as possible and upgrade to the latest patched version when available.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane, and also make the patches visible within GKE security posture when available for your cluster. To receive a Pub/Sub notification when a patch is available for your channel, enable cluster notifications.

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

Mitigate by configuring authorized networks for control plane access:

You can add authorized networks for existing clusters. To learn more see, authorized network for existing clusters.

In addition to the authorized networks you add, there are preset IP addresses that can access the GKE control plane. To learn more about these addresses, see Access to control plane endpoints. The following items summarize the cluster isolation:

  • Private clusters with --master-authorized-networks and PSC-based clusters with --master-authorized-networks and --no-enable-google-cloud configured are the most isolated.
  • Legacy public clusters with --master-authorized-networks and PSC-based clusters with --master-authorized-networks and --enable-google-cloud (default) configured are additionally accessible by the following:
    • Public IP addresses of all Compute Engine VMs in Google Cloud
    • Google Cloud platform IP addresses

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on GKE control plane nodes.

High

GKE on VMware

Updated: 2024-02-14

Description Severity

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. GKE on VMware creates Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability.

What should I do?

2024-02-14 Update: The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following patch versions or later:

  • 1.28.100
  • 1.16.6
  • 1.15.8

If you have configured your GKE on VMware Kubernetes clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access.

We recommend that you upgrade to the latest patch version, when available, as soon as possible.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes.

High

GKE on AWS

Description Severity

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. GKE on AWS creates private Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability.

What should I do?

If you have configured your GKE on AWS to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access.

We recommend that you upgrade to the latest patch version, when available, as soon as possible.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes.

High

GKE on Azure

Description Severity

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. GKE on Azure creates private Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability.

What should I do?

If you have configured your GKE on Azure clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access.

We recommend that you upgrade to the latest patch version, when available, as soon as possible.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes.

High

GKE on Bare Metal

Description Severity

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. Anthos on Bare Metal creates Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability.

What should I do?

If you have configured your Anthos on Bare Metal Kubernetes clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access. To learn more, see the GKE on Bare Metal security overview.

We recommend that you upgrade to the latest patch version, when available, as soon as possible.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes.

High

GCP-2023-026

Published: 2023-09-06
Reference: CVE-2023-3676, CVE-2023-3955, CVE-2023-3893

GKE

Description Severity

Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy.

GKE clusters are only affected if they include Windows nodes.

What should I do?

The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:

  • 1.24.17-gke.200
  • 1.25.13-gke.200
  • 1.26.8-gke.200
  • 1.27.5-gke.200
  • 1.28.1-gke.200

The GKE control plane will be updated the week of 2023-09-04 to update the csi-proxy to version 1.1.3. If you update your nodes prior to the control plane update, you will need to update your nodes again after the update to take advantage of the new proxy. You can update the nodes again, even without changing the node version, by running the gcloud container clusters upgrade command and passing the --cluster-version flag with the same GKE version that the node pool is already running. You must use the gcloud CLI for this workaround. Note that this will cause an update regardless of maintenance windows.

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your specific release channel.

What vulnerabilities are addressed by this patch?

With CVE-2023-3676, a malicious actor could craft a Pod spec with host path strings that contain PowerShell commands. Kubelet lacks input sanitization and passes this crafted path string to the command executor as an argument where it would execute parts of the string as separate commands. These commands would run with the same administrative privileges as Kubelet has.

With CVE-2023-3955, Kubelet grants users who can create Pods the ability to execute code at the same permission level as the Kubelet agent, privileged permissions.

With CVE-2023-3893, a similar lack of input sanitation lets a user who can create Pods on Windows nodes running kubernetes-csi-proxy to escalate to admin privileges on those nodes.

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded PowerShell commands are a strong indication of exploitation. ConfigMaps and Secrets that contain embedded PowerShell commands and are mounted into Pods are also a strong indication of exploitation.

High

GKE on VMware

Description Severity

Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy.

Clusters are only affected if they include Windows nodes.

What should I do?

What vulnerabilities are addressed by this patch?

With CVE-2023-3676, a malicious actor could craft a Pod spec with host path strings that contain PowerShell commands. Kubelet lacks input sanitization and passes this crafted path string to the command executor as an argument where it would execute parts of the string as separate commands. These commands would run with the same administrative privileges as Kubelet has.

With CVE-2023-3955, Kubelet grants users who can create Pods the ability to execute code at the same permission level as the Kubelet agent, privileged permissions.

With CVE-2023-3893, a similar lack of input sanitation lets a user who can create Pods on Windows nodes running kubernetes-csi-proxy to escalate to admin privileges on those nodes.

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded PowerShell commands are a strong indication of exploitation. ConfigMaps and Secrets that contain embedded PowerShell commands and are mounted into Pods are also a strong indication of exploitation.

High

GKE on AWS

Description Severity

Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy.

What should I do?

GKE on AWS is not affected by these CVEs. No action is required.

None

GKE on Azure

Description Severity

Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy.

What should I do?

GKE on Azure is not affected by these CVEs. No action is required.

None

GKE on Bare Metal

Description Severity

Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy.

What should I do?

GKE on Bare Metal is not affected by these CVEs. No action is required.

None

GCP-2023-018

Published: 2023-06-27
Reference: CVE-2023-2235

GKE

Description Severity

A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE Autopilot clusters are affected as GKE Autopilot nodes always use Container-Optimized OS node images. GKE Standard clusters with versions 1.25 or later that are running Container-Optimized OS node images are affected.

GKE clusters are not affected if they are running only Ubuntu node images, or running versions before 1.25, or using GKE Sandbox.

What should I do?

The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:

  • 1.25.9-gke.1400
  • 1.26.4-gke.1500
  • 1.27.1-gke.2400

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

What vulnerabilities are being addressed?

With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.

High

GKE on VMware

Description Severity

A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on VMware clusters are affected.

What should I do?

What vulnerabilities are being addressed?

With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.

High

GKE on AWS

Description Severity

A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on AWS clusters are affected.

What should I do?

What vulnerabilities are addressed by this patch?

With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.

High

GKE on Azure

Description Severity

A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on Azure clusters are affected.

What should I do?

What vulnerabilities are addressed by this patch?

With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.

High

GKE on Bare Metal

Description Severity

A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node.

Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE.

What should I do?

No action is required.

None

GCP-2023-017

Published: 2023-06-26
Updated: 2023-07-11
Reference: CVE-2023-31436

2023-07-11 Update: New GKE versions have been updated to include the latest Ubuntu versions that patch CVE-2023-31436.

GKE

Updated: 2023-07-11

Description Severity

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE clusters, including Autopilot clusters, are affected.

GKE clusters using GKE Sandbox are not affected.

What should I do?

2023-07-11 Update: Ubuntu patch versions are available.

The following GKE versions have been updated to include the latest Ubuntu versions that patch CVE-2023-31436:

  • 1.23.17-gke.8200
  • 1.24.14-gke.2600
  • 1.25.10-gke.2700
  • 1.26.5-gke.2700
  • 1.27.2-gke.2700

The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:

  • 1.22.17-gke.11400
  • 1.23.17-gke.6800
  • 1.24.14-gke.1200
  • 1.25.10-gke.1200
  • 1.26.5-gke.1200
  • 1.27.2-gke.1200

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

What vulnerabilities are being addressed?

With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel's traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.

High

GKE on VMware

Description Severity

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on VMware clusters are affected.

What should I do?

What vulnerabilities are being addressed?

With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel's traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.

High

GKE on AWS

Description Severity

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on AWS clusters are affected.

What should I do?

What vulnerabilities are addressed by this patch?

With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel's traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.

High

GKE on Azure

Description Severity

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on Azure clusters are affected.

What should I do?

What vulnerabilities are addressed by this patch?

With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel's traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.

High

GKE on Bare Metal

Description Severity

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node.

Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE.

What should I do?

No action is required.

None

GCP-2023-016

Published: 2023-06-26
Reference: CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487

GKE

Description Severity

A number of vulnerabilities have been discovered in Envoy, which is used in Anthos Service Mesh (ASM). These were reported separately as GCP-2023-002.

GKE does not ship with ASM and is not affected by these vulnerabilities.

What should I do?

If you have separately installed ASM for your GKE clusters, please see GCP-2023-002.

None

GKE on VMware

Description Severity

A number of vulnerabilities (CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487), have been discovered in Envoy, which is used in Anthos Service Mesh in GKE on VMware, that allows a malicious attacker to cause a denial of service or crash Envoy. These were reported separately as GCP-2023-002, but we want to ensure that GKE Enterprise customers update their versions that include ASM.

What should I do?

The following versions of GKE on VMware have been updated with code to fix this vulnerability. We recommend that you upgrade your admin and user clusters to one of the following GKE on VMware versions:

  • 1.13.8
  • 1.14.5
  • 1.15.1

What vulnerabilities are addressed by this patch?

CVE-2023-27496: If Envoy is running with the OAuth filter enabled exposed, a malicious actor could construct a request which would cause denial of service by crashing Envoy.

CVE-2023-27488: Attackers can use this vulnerability to bypass auth checks when ext_authz is used.

CVE-2023-27493: Envoy configuration must also include an option to add request headers that were generated using inputs from the request, such as the peer certificate SAN.

CVE-2023-27492: Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes.

CVE-2023-27491: Attackers can send specifically crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on HTTP/1 upstream service.

CVE-2023-27487: The header x-envoy-original-path should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client.

High

GKE on AWS

Description Severity

A number of vulnerabilities (CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487), have been discovered in Envoy, which is used in Anthos Service Mesh. These were reported separately as GCP-2023-002.

GKE on AWS does not ship with ASM and is not affected.

What should I do?

No action is required.

None

GKE on Azure

Description Severity

A number of vulnerabilities (CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487), have been discovered in Envoy, which is used in Anthos Service Mesh. These were reported separately as GCP-2023-002.

GKE on Azure does not ship with ASM and is not affected.

What should I do?

No action is required.

None

GKE on Bare Metal

Description Severity

A number of vulnerabilities (CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487), have been discovered in Envoy, which is used in Anthos Service Mesh in GKE on Bare Metal, that allows a malicious attacker to cause a denial of service or crash Envoy. These were reported separately as GCP-2023-002, but we want to ensure that GKE Enterprise customers update their versions that include ASM.

What should I do?

The following versions of GKE on Bare Metal have been updated with code to fix this vulnerability. We recommend that you upgrade your admin and user clusters to one of the following GKE on Bare Metal versions:

  • 1.13.9
  • 1.14.6
  • 1.15.2

What vulnerabilities are addressed by this patch?

CVE-2023-27496: If Envoy is running with the OAuth filter enabled exposed, a malicious actor could construct a request which would cause denial of service by crashing Envoy.

CVE-2023-27488: Attackers can use this vulnerability to bypass auth checks when ext_authz is used.

CVE-2023-27493: Envoy configuration must also include an option to add request headers that were generated using inputs from the request, such as the peer certificate SAN.

CVE-2023-27492: Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes.

CVE-2023-27491: Attackers can send specifically crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on HTTP/1 upstream service.

CVE-2023-27487: The header x-envoy-original-path should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client.

High

GCP-2023-015

Published: 2023-06-20
Reference: CVE-2023-0468

GKE

Description Severity

A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node. GKE clusters, including Autopilot clusters, are affected.

GKE clusters using GKE Sandbox are not affected.

What should I do?

The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:

  • 1.25.7-gke.1200
  • 1.26.2-gke.1200

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

What vulnerabilities are being addressed?

In CVE-2023-0468, a use-after-free flaw was found in io_uring/poll.c in io_poll_check_events in the io_uring subcomponent in the Linux Kernel. This flaw may cause a NULL pointer dereference, and potentially a system crash leading to a denial of service.

Medium

GKE on VMware

Description Severity

A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node.

GKE on VMware uses version 5.4 of the Linux Kernel and is not affected by this CVE.

What should I do?

  • No action is needed
None

GKE on AWS

Description Severity

A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node.

GKE on AWS is not affected by this CVE.

What should I do?

  • No action is needed
None

GKE on Azure

Description Severity

A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node.

GKE on Azure is not affected by this CVE.

What should I do?

  • No action is needed
None

GKE on Bare Metal

Description Severity

A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node.

Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE.

What should I do?

  • No action is needed
None

GCP-2023-014

Published: 2023-06-15
Updated: 2023-08-11
Reference: CVE-2023-2727, CVE-2023-2728

2023-08-11 Update: Added patch versions for GKE on VMware, GKE on AWS, GKE on Azure, and GKE on Bare Metal

GKE

Description Severity

Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728).

GKE does not use ImagePolicyWebhook and is not affected by CVE-2023-2727.

All versions of GKE are potentially vulnerable to CVE-2023-2728.

What should I do?

The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:

  • 1.27.2-gke.1200
  • 1.26.5-gke.1200
  • 1.25.10-gke.1200
  • 1.24.14-gke.1200
  • 1.23.17-gke.6800

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your specific release channel.

What vulnerabilities are being addressed?

With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions.

In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:

  • The ServiceAccount admission plugin is used.
  • The kubernetes.io/enforce-mountable-secrets annotation is used by a service account. This annotation is not added by default.
  • Pods are using ephemeral containers.
Medium

GKE on VMware

Updated: 2023-08-11

Description Severity

Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728) Anthos on VMware does not use ImagePolicyWebhook and is not affected by CVE-2023-2727.

All versions of Anthos on VMware are potentially vulnerable to CVE-2023-2728.

What should I do?

2023-08-11 Update: The following versions of GKE on VMware have been updated with code to fix this vulnerability. Upgrade your admin and user clusters to one of the following GKE on VMware versions:

  • 1.13.10
  • 1.14.6
  • 1.15.3

What vulnerabilities are being addressed?

With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions.

In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:

  • The ServiceAccount admission plugin is used.
  • The kubernetes.io/enforce-mountable-secrets annotation is used by a service account. This annotation is not added by default.
  • Pods are using ephemeral containers.
Medium

GKE on AWS

Updated: 2023-08-11

Description Severity

Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728)
Anthos on AWS does not use ImagePolicyWebhook and is not affected by CVE-2023-2727.
All versions of Anthos on AWS are potentially vulnerable to CVE-2023-2728.

What should I do?

2023-08-11 Update: The following version of GKE on AWS has been updated with code to fix this vulnerability. Upgrade your nodes to the following GKE on AWS version:

  • 1.15.2

What vulnerabilities are being addressed?

With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions.

In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:

  • The ServiceAccount admission plugin is used.
  • The kubernetes.io/enforce-mountable-secrets annotation is used by a service account. This annotation is not added by default.
  • Pods are using ephemeral containers.
Medium

GKE on Azure

Updated: 2023-08-11

Description Severity

Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728)
Anthos on Azure does not use ImagePolicyWebhook and is not affected by CVE-2023-2727.
All versions of Anthos on Azure are potentially vulnerable to CVE-2023-2728.

What should I do?

2023-08-11 Update: The following version of GKE on Azure has been updated with code to fix this vulnerability. Upgrade your nodes to the following GKE on Azure version:

  • 1.15.2

What vulnerabilities are being addressed?

With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions.

In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:

  • The ServiceAccount admission plugin is used.
  • The kubernetes.io/enforce-mountable-secrets annotation is used by a service account. This annotation is not added by default.
  • Pods are using ephemeral containers.
Medium

GKE on Bare Metal

Updated: 2023-08-11

Description Severity

Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728)
Anthos on Bare Metal does not use ImagePolicyWebhook and is not affected by CVE-2023-2727.
All versions of Anthos on Bare Metal are potentially vulnerable to CVE-2023-2728.

What should I do?

2023-08-11 Update: The following versions of Google Distributed Cloud Virtual for Bare Metal have been updated with code to fix this vulnerability. Upgrade your nodes to one of the following Google Distributed Cloud Virtual for Bare Metal versions:

  • 1.13.9
  • 1.14.7
  • 1.15.3

What vulnerabilities are being addressed?

With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions.

In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:

  • The ServiceAccount admission plugin is used.
  • The kubernetes.io/enforce-mountable-secrets annotation is used by a service account. This annotation is not added by default.
  • Pods are using ephemeral containers.
Medium

GCP-2023-009

Published: 2023-06-06
Reference: CVE-2023-2878

GKE

Description Severity

A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.

GKE is not affected by this CVE.

What should I do?

While GKE is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

None

GKE on VMware

Description Severity

A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.

GKE on VMware is not affected by this CVE.

What should I do?

While GKE on VMware is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

None

GKE on AWS

Description Severity

A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.

GKE on AWS is not affected by this CVE.

What should I do?

While GKE on AWS is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

None

GKE on Azure

Description Severity

A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.

GKE on Azure is not affected by this CVE

What should I do?

While GKE on Azure is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

None

GKE on Bare Metal

Description Severity

A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.

GKE on Bare Metal is not affected by this CVE.

What should I do?

While GKE on Bare Metal is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

None

GCP-2023-008

Published: 2023-06-05
Reference: CVE-2023-1872

GKE

Description Severity

A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. GKE Standard and Autopilot clusters are affected.

Clusters using GKE Sandbox are not affected.

What should I do?

The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:

  • 1.22.17-gke.11400
  • 1.23.17-gke.5600
  • 1.24.13-gke.2500
  • 1.25.9-gke.2300
  • 1.26.5-gke.1200

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

What vulnerabilities are addressed by this patch?

CVE-2023-1872 is a use-after-free vulnerability in the io_uring subsystem of the Linux kernel that can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock, which can lead to a use-after-free vulnerability due to a race condition with fixed files becoming unregistered.

High

GKE on VMware

Description Severity

A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node.

What should I do?

What vulnerabilities are addressed by this patch?

CVE-2023-1872 is a use-after-free vulnerability in the io_uring subsystem of the Linux kernel that can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock, which can lead to a use-after-free vulnerability due to a race condition with fixed files becoming unregistered.

High

GKE on AWS

Description Severity

A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node.

What should I do?

The following versions of GKE on AWS have been updated with code to fix these vulnerabilities:

  • 1.15.1
  • What vulnerabilities are addressed by this patch?

    CVE-2023-1872 is a use-after-free vulnerability in the io_uring subsystem of the Linux kernel that can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock, which can lead to a use-after-free vulnerability due to a race condition with fixed files becoming unregistered.

    High

    GKE on Azure

    Description Severity

    A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node.

    What should I do?

    The following versions of GKE on Azure have been updated with code to fix these vulnerabilities:

  • 1.15.1
  • What vulnerabilities are addressed by this patch?

    CVE-2023-1872 is a use-after-free vulnerability in the io_uring subsystem of the Linux kernel that can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock, which can lead to a use-after-free vulnerability due to a race condition with fixed files becoming unregistered.

    High

    GKE on Bare Metal

    Description Severity

    A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node.

    GKE on Bare Metal is not affected by this CVE.

    What should I do?

    No action required.

    None

    GCP-2023-005

    Published: 2023-05-18
    Updated: 2023-06-06
    Reference: CVE-2023-1281, CVE-2023-1829

    2023-06-06 Update: New GKE versions have been updated to include the latest Ubuntu versions that patch CVE-2023-1281 and CVE-2023-1829.

    GKE

    Updated: 2023-06-06

    Description Severity

    Two new vulnerabilities (CVE-2023-1281, CVE-2023-1829) have been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. GKE Standard clusters are affected.

    GKE Autopilot clusters and clusters using GKE Sandbox are not affected.

    What should I do?

    2023-06-06 Update: Ubuntu patch versions are available.

    The following GKE versions have been updated to include the latest Ubuntu versions that patch CVE-2023-1281 and CVE-2023-1829:

    • 1.23.17-gke.6800
    • 1.24.14-gke.1200
    • 1.25.10-gke.1200
    • 1.26.5-gke.1200

    The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:

    • 1.22.17-gke.8100
    • 1.23.17-gke.2300
    • 1.24.12-gke.1100
    • 1.25.8-gke.1000
    • 1.26.3-gke.1000

    A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

    What vulnerabilities are addressed by this patch?

    Both CVE-2023-1281 and CVE-2023-1829 are use-after-free vulnerabilities in the Linux Kernel traffic control index filter (tcindex) that can be exploited to achieve local privilege escalation.

    With CVE-2023-1829, the tcindex_delete function does not properly deactivate filters in certain cases which can later lead to double freeing of a data structure.

    In CVE-2023-1281, the imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when tcf_exts_exec() is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root.

    High

    GKE on VMware

    Description Severity

    Two new vulnerabilities (CVE-2023-1281, CVE-2023-1829) have been discovered in the Linux kernel that can lead to a privilege escalation to root on the node.

    What should I do?

    What vulnerabilities are addressed by this patch?

    Both CVE-2023-1281 and CVE-2023-1829 are use-after-free vulnerabilities in the Linux Kernel traffic traffic control index filter (tcindex) that can be exploited to achieve local privilege escalation.

    With CVE-2023-1829, the tcindex_delete function does not properly deactivate filters in certain cases which can later lead to double freeing of a data structure.

    In CVE-2023-1281, the imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when tcf_exts_exec() is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root.

    High

    GKE on AWS

    Description Severity

    Two new vulnerabilities (CVE-2023-1281, CVE-2023-1829) have been discovered in the Linux kernel that can lead to a privilege escalation to root on the node.

    What should I do?

    What vulnerabilities are addressed by this patch?

    Both CVE-2023-1281 and CVE-2023-1829 are use-after-free vulnerabilities in the Linux Kernel traffic traffic control index filter (tcindex) that can be exploited to achieve local privilege escalation.

    With CVE-2023-1829, the tcindex_delete function does not properly deactivate filters in certain cases which can later lead to double freeing of a data structure.

    In CVE-2023-1281, the imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when tcf_exts_exec() is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root.

    High

    GKE on Azure

    Description Severity

    Two new vulnerabilities (CVE-2023-1281, CVE-2023-1829) have been discovered in the Linux kernel that can lead to a privilege escalation to root on the node.

    What should I do?

    What vulnerabilities are addressed by this patch?

    Both CVE-2023-1281 and CVE-2023-1829 are use-after-free vulnerabilities in the Linux Kernel traffic traffic control index filter (tcindex) that can be exploited to achieve local privilege escalation.

    With CVE-2023-1829, the tcindex_delete function does not properly deactivate filters in certain cases which can later lead to double freeing of a data structure.

    In CVE-2023-1281, the imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when tcf_exts_exec() is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root.

    High

    GKE on Bare Metal

    Description Severity

    Two new vulnerabilities (CVE-2023-1281, CVE-2023-1829) have been discovered in the Linux kernel that can lead to a privilege escalation to root on the node.

    GKE on Bare Metal are not affected by this CVE.

    What should I do?

    No action required.

    None

    GCP-2023-003

    Published: 2023-04-11
    Updated: 2023-12-21
    Reference: CVE-2023-0240, CVE-2023-23586

    2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.

    GKE

    Updated: 2023-12-21

    Description Severity

    2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

    Two new vulnerabilities, CVE-2023-0240 and CVE-2023-23586, have been discovered in the Linux kernel that could allow an unprivileged user to escalate privileges. GKE clusters, including Autopilot clusters, with COS using Linux Kernel version 5.10 until 5.10.162 are affected. GKE clusters using Ubuntu images or using GKE Sandbox are unaffected.

    What should I do?

    The following versions of GKE have been updated with code to fix these vulnerabilities. For security purposes, even if you have node-autoupgrade enabled, we recommend that you manually upgrade your node pools to one of the following GKE versions:

    • 1.22.17-gke.4000
    • 1.23.16-gke.1100
    • 1.24.10-gke.1200

    A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

    What vulnerabilities are addressed by this patch?

    Vulnerability 1 (CVE-2023-0240): A race condition in io_uring can lead to a full container break out to root on the node. Linux kernel versions 5.10 are affected until 5.10.162.

    Vulnerability 2 (CVE-2023-23586): A use after free (UAF) in io_uring/time_ns can lead to a full container break out to root on the node. Linux kernel versions 5.10 are affected until 5.10.162.

    High

    GKE on VMware

    Description Severity

    Two new vulnerabilities, CVE-2023-0240 and CVE-2023-23586, have been discovered in the Linux kernel that could allow an unprivileged user to escalate privileges. GKE on VMware clusters with COS using Linux Kernel version 5.10 until 5.10.162 are affected. GKE Enterprise clusters using Ubuntu images are unaffected.

    What should I do?

    The following versions of GKE on VMware have been updated with code to fix these vulnerabilities:

    • 1.12.6
    • 1.13.5

    What vulnerabilities are addressed by this patch?

    Vulnerability 1 (CVE-2023-0240): A race condition in io_uring can lead to a full container break out to root on the node. Linux kernel versions 5.10 are affected until 5.10.162.

    Vulnerability 2 (CVE-2023-23586): A use after free (UAF) in io_uring/time_ns can lead to a full container break out to root on the node. Linux kernel versions 5.10 are affected until 5.10.162.

    High

    GKE on AWS

    Description Severity

    Two new vulnerabilities, CVE-2023-0240 and CVE-2023-23586, have been discovered in the Linux kernel that could allow an unprivileged user to escalate privileges. GKE on AWS is not affected by these CVEs.

    What should I do?

    No action required.

    None

    GKE on Azure

    Description Severity

    Two new vulnerabilities, CVE-2023-0240 and CVE-2023-23586, have been discovered in the Linux kernel that could allow an unprivileged user to escalate privileges. GKE on Azure is not affected by these CVEs

    What should I do?

    No action required.

    None

    GKE on Bare Metal

    Description Severity

    Two new vulnerabilities, CVE-2023-0240 and CVE-2023-23586, have been discovered in the Linux kernel that could allow an unprivileged user to escalate privileges. GKE on Bare Metal is not affected by these CVEs.

    What should I do?

    No action required.

    None

    GCP-2023-001

    Published: 2023-03-01
    Updated: 2023-12-21
    Reference: CVE-2022-4696

    2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.

    GKE

    Description Severity

    2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

    A new vulnerability (CVE-2022-4696) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE clusters, including Autopilot clusters, are impacted. GKE clusters using GKE Sandbox are not affected.

    What should I do?

    The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your clusters and node pools to one of the following GKE versions:

    • 1.22.17-gke.3100
    • 1.23.16-gke.200
    • 1.24.9-gke.3200

    A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-4696, a use-after-free flaw was found in io_uring and ioring_op_splice in the Linux kernel. This flaw allows a local user to create a local privilege escalation.

    High

    GKE on VMware

    Description Severity

    A new vulnerability (CVE-2022-4696) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on VMware running v1.12 and v1.13 are impacted. GKE on VMware running v1.14 or later are not affected.

    What should I do?

    The following versions of GKE on VMware have been updated with code to fix this vulnerability. We recommend that you upgrade your admin and user clusters to one of the following GKE on VMware versions:

    • 1.12.5
    • 1.13.5

    What vulnerabilities are addressed by this patch?

    With CVE-2022-4696, a use-after-free flaw was found in io_uring and ioring_op_splice in the Linux kernel. This flaw allows a local user to create a local privilege escalation.

    High

    GKE on AWS

    Description Severity

    A new vulnerability (CVE-2022-4696) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on AWS is unaffected by this vulnerability.

    What should I do?

    No action is required.

    None

    GKE on Azure

    Description Severity

    A new vulnerability (CVE-2022-4696) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on Azure is unaffected by this vulnerability.

    What should I do?

    No action is required.

    None

    GKE on Bare Metal

    Description Severity

    A new vulnerability (CVE-2022-4696) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on Bare Metal is unaffected by this vulnerability.

    What should I do?

    No action is required.

    None

    GCP-2022-026

    Published: 2023-01-11
    Reference: CVE-2022-3786, CVE-2022-3602

    GKE

    Description Severity

    Two new vulnerabilities (CVE-2022-3786 and CVE-2022-3602) have been discovered in OpenSSL v3.0.6 that can potentially cause a crash. While this has been rated a High in the NVD database, GKE endpoints use boringSSL or an older version of OpenSSL that is not affected, so the rating has been reduced to a Medium for GKE.

    What should I do?

    The following versions of GKE have been updated with code to fix this vulnerability:

    • 1.25.4-gke.1600
    • 1.24.8-gke.401
    • 1.23.14-gke.401
    • 1.22.16-gke.1300
    • 1.21.14-gke.14100

    A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-3786 and CVE-2022-3602, a buffer overrun can be triggered in X.509 certificate verification that can cause a crash that will result in a denial of service. To be exploited, this vulnerability requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer.

    Medium

    GKE on VMware

    Description Severity

    Two new vulnerabilities (CVE-2022-3786 and CVE-2022-3602) have been discovered in OpenSSL v3.0.6 that can potentially cause a crash.

    What should I do?

    GKE on VMware is not affected by this CVE as it does not use an impacted version of OpenSSL.

    What vulnerabilities are addressed by this patch?

    No action required.

    None

    GKE on AWS

    Description Severity

    Two new vulnerabilities (CVE-2022-3786 and CVE-2022-3602) have been discovered in OpenSSL v3.0.6 that can potentially cause a crash.

    What should I do?

    GKE on AWS is not affected by this CVE as it does not use an impacted version of OpenSSL.

    What vulnerabilities are addressed by this patch?

    No action required.

    None

    GKE on Azure

    Description Severity

    Two new vulnerabilities (CVE-2022-3786 and CVE-2022-3602) have been discovered in OpenSSL v3.0.6 that can potentially cause a crash.

    What should I do?

    GKE on Azure is not affected by this CVE as it does not use an impacted version of OpenSSL.

    What vulnerabilities are addressed by this patch?

    No action required.

    None

    GKE on Bare Metal

    Description Severity

    Two new vulnerabilities (CVE-2022-3786 and CVE-2022-3602) have been discovered in OpenSSL v3.0.6 that can potentially cause a crash.

    What should I do?

    GKE on Bare Metal is not affected by this CVE as it does not use an impacted version of OpenSSL.

    What vulnerabilities are addressed by this patch?

    No action required.

    None

    GCP-2022-025

    Published: 2022-12-21
    Updated: 2023-01-19, 2023-12-21
    Reference: CVE-2022-2602

    2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.

    2023-01-19 Update: GKE version 1.21.14-gke.14100 is available.

    GKE

    Updated: 2023-01-19

    Description Severity

    2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

    A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code. GKE clusters, including Autopilot clusters, are impacted.

    GKE clusters using GKE Sandbox are not affected.

    What should I do?

    2023-01-19 Update: Version 1.21.14-gke.14100 is available. Upgrade your node pools to this version or later.


    The following versions of GKE have been updated with code to fix this vulnerability in an upcoming release. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your node pools to one of the following GKE versions:

    • Container-Optimized OS:
      • 1.22.16-gke.1300 and later
      • 1.23.14-gke.401 and later
      • 1.24.7-gke.900 and later
      • 1.25.4-gke.1600 and later
    • Ubuntu:
      • 1.22.15-gke.2500 and later
      • 1.23.13-gke.900 and later
      • 1.24.7-gke.900 and later
      • 1.25.3-gke.800 and later

    A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-2602, a race condition between io_uring request processing and Unix socket garbage collection can cause a use-after-free vulnerability. A local attacker could use this to trigger a denial of service or possibly execute arbitrary code.

    High

    GKE on VMware

    Description Severity

    A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code.

    Versions 1.11, 1.12 and 1.13 of GKE on VMware are affected.

    What should I do?

    Upgrade your cluster to a patched version. The following versions of GKE on VMware contain code that fixes this vulnerability:

    • 1.13.2
    • 1.12.4
    • 1.11.5

    What vulnerabilities are addressed by this patch?

    With CVE-2022-2602, a race condition between io_uring request processing and Unix socket garbage collection can cause a use-after-free vulnerability. A local attacker could use this to trigger a denial of service or possibly execute arbitrary code.

    High

    GKE on AWS

    Description Severity

    A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code.

    What should I do?

    The following current and previous generation versions of GKE on AWS have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on AWS versions:

    • Current generation:
      • 1.22.15-gke.100
      • 1.23.11-gke.300
      • 1.24.5-gke.200
    • Previous generation:
      • 1.22.15-gke.1400
      • 1.23.12-gke.1400
      • 1.24.6-gke.1300

    What vulnerabilities are addressed by this patch?

    With CVE-2022-2602, a race condition between io_uring request processing and Unix socket garbage collection can cause a use-after-free vulnerability. A local attacker could use this to trigger a denial of service or possibly execute arbitrary code.

    High

    GKE on Azure

    Description Severity

    A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code.

    What should I do?

    The following versions of GKE on Azure have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on Azure versions:

    • 1.22.15-gke.100
    • 1.23.11-gke.300
    • 1.24.5-gke.200

    What vulnerabilities are addressed by this patch?

    With CVE-2022-2602, a race condition between io_uring request processing and Unix socket garbage collection can cause a use-after-free vulnerability. A local attacker could use this to trigger a denial of service or possibly execute arbitrary code.

    High

    GKE on Bare Metal

    Description Severity

    A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code.

    GKE on Bare Metal is not affected by this CVE as it does not bundle an operating system in its distribution.

    What should I do?

    No action required.

    None

    GCP-2022-024

    Published: 2022-11-09
    Updated: 2023-01-19
    Reference: CVE-2022-2585, CVE-2022-2588

    2023-01-19 Update: GKE version 1.21.14-gke.14100 is available.
    2022-12-16 Update: Added revised patch versions for GKE and GKE on VMware.

    GKE

    Updated: 2023-01-19

    Description Severity

    Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node. GKE clusters, including Autopilot clusters, are impacted.

    GKE clusters using GKE Sandbox are not affected.

    What should I do?

    2023-01-19 Update: Version 1.21.14-gke.14100 is available. Upgrade your node pools to this version or later.

    2022-12-16 Update: A previous version of the bulletin has been revised due to a release regression. Please manually upgrade your node pools to one of the following GKE versions:

    • 1.22.16-gke.1300 and later
    • 1.23.14-gke.401 and later
    • 1.24.7-gke.900 and later
    • 1.25.4-gke.1600 and later

    The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node-autoupgrade enabled, we recommend that you manually upgrade your node pools to one of the following GKE versions:

    • 1.21.14-gke.9500
    • 1.24.7-gke.900

    Updates for GKE v1.22, 1.23 and 1.25 will be made available soon. This security bulletin will be updated when they become available.

    A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

    What vulnerabilities are addressed by this patch?

    • With CVE-2022-2585, improper cleanup of timers in the posix cpu timer allows a use-after-free exploit depending on how timers are created and deleted.
    • With CVE-2022-2588, a use-after-free flaw was found in route4_change in the Linux kernel. This flaw allows a local user to crash the system and possibly lead to a local privilege escalation.
    High

    GKE on VMware

    Updated: 2022-12-16

    Description Severity

    Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node.

    Versions 1.13, 1.12 and 1.11 of GKE on VMware are affected.

    What should I do?

    2022-12-16 Update: The following versions of GKE on VMware have been updated with code to fix this vulnerability. We recommend that you upgrade your admin and user clusters to one of the following GKE on VMware versions:

    • 1.13.2
    • 1.12.4
    • 1.11.6

    • Note: Versions of GKE on VMware that contain Container-Optimized OS patches will be released soon. This security bulletin will be updated when the GKE on VMware versions are available for download.

    What vulnerabilities are addressed by this patch?

    • With CVE-2022-2585, improper cleanup of timers in the posix cpu timer allows a use-after-free exploit depending on how timers are created and deleted.
    • With CVE-2022-2588, a use-after-free flaw was found in route4_change in the Linux kernel. This flaw allows a local user to crash the system and possibly lead to a local privilege escalation.
    High

    GKE on AWS

    Description Severity

    Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node.

    The following versions of Kubernetes on AWS may be affected:

    • 1.23: Versions older than 1.23.9-gke.800. Newer minor versions are not affected
    • 1.22: Versions older than 1.22.12-gke.1100. Newer minor versions are not affected

    Kubernetes V1.24 is not affected.

    What should I do?

    We recommend that you upgrade your clusters to one of the following AWS Kubernetes versions:

    • 1.23: a version later than v1.23.9-gke.800
    • 1.22: a version later than 1.22.12-gke-1100

    What vulnerabilities are being addressed?

    With CVE-2022-2585, improper cleanup of timers in the posix cpu timer allows a use-after-free exploit depending on how timers are created and deleted.

    With CVE-2022-2588, a use-after-free flaw was found in route4_change in the Linux kernel. This flaw allows a local user to crash the system and possibly lead to a local privilege escalation.

    High

    GKE on Azure

    Description Severity

    Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node.

    The following versions of Kubernetes on Azure may be affected:

    • 1.23: Versions older than 1.23.9-gke.800. Newer minor versions are not affected.
    • 1.22: Versions older than 1.22.12-gke.1100. Newer minor versions are not affected.

    Kubernetes V1.24 is not affected.

    What should I do?

    We recommend that you upgrade your clusters to one of the following Azure Kubernetes versions:

    • 1.23: a version later than v1.23.9-gke.800
    • 1.22: a version later than 1.22.12-gke-1100

    What vulnerabilities are being addressed?

    With CVE-2022-2585, improper cleanup of timers in the posix cpu timer allows a use-after-free exploit depending on how timers are created and deleted.

    With CVE-2022-2588, a use-after-free flaw was found in route4_change in the Linux kernel. This flaw allows a local user to crash the system and possibly lead to a local privilege escalation.

    High

    GKE on Bare Metal

    Description Severity

    Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node.

    GKE on Bare Metal is not affected by this CVE as it does not bundle an operating system in its distribution.

    What should I do?

    No action required.

    None

    GCP-2022-023

    Published: 2022-11-04
    Reference: CVE-2022-39278

    GKE

    Description Severity

    A security vulnerability, CVE-2022-39278, has been discovered in Istio, which is used in Anthos Service Mesh, that allows a malicious attacker to crash the control plane.

    What should I do?

    Google Kubernetes Engine (GKE) doesn't ship with Istio and isn't affected by this vulnerability. However, if you have separately installed Anthos Service Mesh or Istio on your GKE cluster, refer to GCP-2022-020, the Anthos Service Mesh security bulletin on this CVE, for more information.

    None

    GKE on VMware

    Description Severity

    A security vulnerability, CVE-2022-39278, has been discovered in Istio, which is used in Anthos Service Mesh in GKE on VMware, that allows a malicious attacker to crash the Istio control plane.

    What should I do?

    The following versions of GKE on VMware have been updated with code to fix this vulnerability. We recommend that you upgrade your admin and user clusters to one of the following GKE on VMware versions:

    • 1.11.4
    • 1.12.3
    • 1.13.1

    What vulnerabilities are addressed by this patch?

    With vulnerability CVE-2022-39278, the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker to send a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but doesn't require any authentication from the attacker.

    High

    GKE on AWS

    Description Severity

    A security vulnerability, CVE-2022-39278, has been discovered in Istio, which is used in Anthos Service Mesh, that allows a malicious attacker to crash the control plane.

    What should I do?

    GKE on AWS isn't affected by this vulnerability and no action is required.

    None

    GKE on Azure

    Description Severity

    A security vulnerability, CVE-2022-39278, has been discovered in Istio, which is used in Anthos Service Mesh, that allows a malicious attacker to crash the control plane.

    What should I do?

    GKE on Azure isn't affected by this vulnerability and no action is required.

    None

    GKE on Bare Metal

    Description Severity

    A security vulnerability, CVE-2022-39278, has been discovered in Istio, which is used in Anthos Service Mesh in GKE on Bare Metal, that allows a malicious attacker to crash the Istio control plane.

    What should I do?

    The following versions of GKE on Bare Metal have been updated with code to fix this vulnerability. We recommend that you upgrade clusters to one of the following GKE on Bare Metal versions:

    • 1.11.7
    • 1.12.4
    • 1.13.1

    What vulnerabilities are addressed by this patch?

    With vulnerability CVE-2022-39278, the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker to send a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but doesn't require any authentication from the attacker.

    High

    GCP-2022-022-updated

    Published: 2022-12-08
    Reference: CVE-2022-20409

    GKE

    Updated: 2022-12-14

    Description Severity

    A new vulnerability, CVE-2022-20409, has been discovered in the Linux kernel that can lead to local privilege escalation. Google Kubernetes Engine (GKE) v1.22, v1.23, and v1.24 clusters, including Autopilot clusters, using Container-Optimized OS version 93 and 97 are impacted. Other supported GKE versions aren't affected. GKE clusters using GKE Sandbox are unaffected.

    What should I do?

    2022-12-14 Update: A previous version of the bulletin has been revised due to a release regression. Please manually upgrade your node pools to one of the following GKE versions:

    • 1.22.15-gke.2500 and later
    • 1.23.13-gke.900 and later
    • 1.24.7-gke.900 and later

    The following versions of GKE using Container-Optimized OS version 93 and 97 have been updated with code to fix this vulnerability in an upcoming release. For security purposes, even if you have node auto-upgrades enabled, we recommend that you manually upgrade your node pools to one of the following GKE versions:

    • 1.22.15-gke.2300 and later
    • 1.23.13-gke.700 and later
    • 1.24.7-gke.700 and later

    A recent feature of release channels lets you apply a patch without having to unsubscribe from a channel. This feature lets you secure your nodes until the new version becomes the default for your release-specific channel.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-20409, the Linux Kernel has a vulnerability in io_identity_cow of the io_uring subsystem. There's a potential for memory corruption due to a Use-After-Free (UAF) vulnerability. A local attacker could use this memory corruption for denial of service (system crash) or possibly to execute arbitrary code.

    High

    GKE on VMware

    Updated: 2022-12-14

    Description Severity

    A new vulnerability, CVE-2022-20409, has been discovered in the Linux kernel that can lead to local privilege escalation.

    What should I do?

    2022-12-14 Update: The following versions of GKE on VMware for Ubuntu have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on VMware versions:

    • 1.13.1 and later
    • 1.12.3 and later
    • 1.11.4 and later

    What vulnerabilities are addressed by this patch?

    With CVE-2022-20409, the Linux Kernel has a vulnerability in io_identity_cow of the io_uring subsystem. There's a potential for memory corruption due to a Use-After-Free (UAF) vulnerability. A local attacker could use this memory corruption for denial of service (system crash) or possibly to execute arbitrary code.

    High

    GKE on AWS

    Description Severity

    A new vulnerability, CVE-2022-20409, has been discovered in the Linux kernel that could allow an unprivileged user to escalate to system execution privilege.

    What should I do?

    There's no action required. GKE on AWS doesn't use the affected versions of the Linux kernel.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-20409, the Linux Kernel has a vulnerability in io_identity_cow of the io_uring subsystem. There's a potential for memory corruption due to a Use-After-Free (UAF) vulnerability. A local attacker could use this memory corruption for denial of service (system crash) or possibly to execute arbitrary code.

    None

    GKE on Azure

    Description Severity

    A new vulnerability, CVE-2022-20409, has been discovered in the Linux kernel that could allow an unprivileged user to escalate to system execution privilege.

    What should I do?

    There's no action required. GKE on Azure doesn't use the affected versions of the Linux kernel.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-20409, the Linux Kernel has a vulnerability in io_identity_cow of the io_uring subsystem. There's a potential for memory corruption due to a Use-After-Free (UAF) vulnerability. A local attacker could use this memory corruption for denial of service (system crash) or possibly to execute arbitrary code.

    None

    GKE on Bare Metal

    Description Severity

    A new vulnerability, CVE-2022-20409, has been discovered in the Linux kernel that can lead to local privilege escalation.

    What should I do?

    • There's no action required. GKE on Bare Metal isn't affected by this CVE as it doesn't bundle an operating system in its distribution.
    None

    GCP-2022-021

    Published: 2022-10-27
    Updated: 2023-01-19, 2023-12-21
    Reference: CVE-2022-3176

    2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.

    2023-01-19 Update: GKE version 1.21.14-gke.14100 is available.
    2022-12-15 Update: Updated information that version 1.21.14-gke.9400 of Google Kubernetes Engine is pending rollout and may be superseded by a higher version number.
    2022-11-21 Update: Added patch versions for GKE on VMware, GKE on AWS, and GKE on Azure.

    GKE

    Updated: 2023-01-19, 2023-12-21

    Description Severity

    A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node.

    2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

    Google Kubernetes Engine (GKE) v1.21 clusters, including Autopilot clusters, using Container-Optimized OS version 89 are impacted. Later versions of GKE aren't affected. All Linux clusters with Ubuntu are affected. GKE clusters using GKE Sandbox are unaffected.

    What should I do?

    2023-01-19 Update: Version 1.21.14-gke.14100 is available. Upgrade your node pools to this version or later.

    2022-12-15 Update: Version 1.21.14-gke.9400 is pending rollout and may be superseded by a higher version number. We will update this doc when said new version is available.


    The following versions of GKE have been updated with code to fix this vulnerability in an upcoming release. For security purposes, even if you have node auto-upgrades enabled, we recommend that you manually upgrade your node pools to one of the following GKE versions:

    • Container-Optimized OS:
      • 1.21.14-gke.7100 and later
    • Ubuntu:
      • 1.21.14-gke.9400 and later
      • 1.22.15-gke.2400 and later
      • 1.23.13-gke.800 and later
      • 1.24.7-gke.800 and later
      • 1.25.3-gke.700 and later

    A recent feature of release channels lets you apply a patch without having to unsubscribe from a channel. This feature lets you secure your nodes until the new version becomes the default for your release-specific channel.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-3176, the Linux Kernel has a vulnerability in the io_uring subsystem. Missing POLLFREE handling can lead to Use-After-Free (UAF) exploits that can be used for privilege escalation.

    High

    GKE on VMware

    Updated: 2022-11-21

    Description Severity

    A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node.

    What should I do?

    • Versions of GKE on VMware with Container-Optimized OS are unaffected.

    2022-11-21 Update: The following versions of GKE on VMware for Ubuntu have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on VMware versions:

    • 1.12.3 and later
    • 1.13.1 and later
    • 1.11.5 and later

    Versions of GKE on VMware that contain Ubuntu patches will be released soon. This security bulletin will be updated when the GKE on VMware versions are available for download.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-3176, the Linux Kernel has a vulnerability in the io_uring subsystem. Missing POLLFREE handling can lead to Use-After-Free (UAF) exploits that can be used for privilege escalation.

    High

    GKE on AWS

    Updated: 2022-11-21

    Description Severity

    A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node.

    What should I do?

    2022-11-21 Update: The following current and previous generation versions of GKE on AWS have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on AWS versions:

    Current generation
    • 1.21.14-gke.7100
    • 1.22.15-gke.100
    • 1.23.11-gke.300
    • 1.24.5-gke.200
    Previous generation
    • 1.22.15-gke.1400
    • 1.23.12-gke.1400
    • 1.24.6-gke.1300

    Versions of GKE on AWS that contain Ubuntu patches will be released soon. This security bulletin will be updated when the GKE on AWS versions are available for download.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-3176, the Linux Kernel has a vulnerability in the io_uring subsystem. Missing POLLFREE handling can lead to Use-After-Free (UAF) exploits that can be used for privilege escalation.

    High

    GKE on Azure

    Updated: 2022-11-21

    Description Severity

    A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node.

    What should I do?

    2022-11-21 Update: The following versions of GKE on Azure have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on Azure versions:

    • 1.21.14-gke.7100
    • 1.22.15-gke.100
    • 1.23.11-gke.300
    • 1.24.5-gke.200

    Versions of GKE on Azure that contain Ubuntu patches will be released soon. This security bulletin will be updated when the GKE on Azure versions are available for download.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-3176, the Linux Kernel has a vulnerability in the io_uring subsystem. Missing POLLFREE handling can lead to Use-After-Free (UAF) exploits that can be used for privilege escalation.

    High

    GKE on Bare Metal

    Description Severity

    A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node.

    What should I do?

    No action required. GKE on Bare Metal isn't affected by this CVE as it doesn't bundle an operating system in its distribution.

    None

    GCP-2022-018

    Published: 2022-08-01
    Updated: 2022-09-14, 2023-12-21
    Reference: CVE-2022-2327

    2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.

    2022-09-14 Update: Added patch versions for GKE on VMware, GKE on AWS, and GKE on Azure.

    GKE

    Updated: 2023-12-21

    Description Severity

    A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node.

    Technical details

    2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

    GKE clusters, including Autopilot clusters, with Container-Optimized OS (COS) using Linux Kernel version 5.10 are affected. GKE clusters using Ubuntu images or using GKE Sandbox are unaffected.

    What should I do?

    Upgrade your GKE clusters to a version that includes the fix. The Linux node images for COS have been updated along with GKE versions using those COS versions.

    For security purposes, even if you have the node autoupgrade enabled, we recommend that you manually upgrade your node pools to one of the following GKE versions:

    COS versions

    • 1.22.12-gke.300
    • 1.23.8-gke.1900
    • 1.24.2-gke.1900


    A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you upgrade your nodes to the patched version before that version becomes the default in your selected release channel.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-2327, the Linux kernel in version 5.10 has a vulnerability in the io_uring subsystem where various requests are missing item types (flags). Using these requests without the proper item types specified can cause privilege escalation to root.
    High

    GKE on VMware

    Updated: 2022-09-14

    Description Severity

    A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node.

    Clusters with a Container Optimized OS (COS) image using GKE on VMware versions 1.10, 1.11, and 1.12 are affected.

    What should I do?

    2022-09-14 Update: The following versions of GKE on VMware contain code that fixes this vulnerability.

    • 1.10.6 or later
    • 1.11.3 or later
    • 1.12.1 or later

    Versions of GKE on VMware that contain patches will be released soon. This security bulletin will be updated when the GKE on VMware versions are available for download.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-2327, the Linux kernel in version 5.10 has a vulnerability in the io_uring subsystem where various requests are missing item types (flags). Using these requests without the proper item types specified can cause privilege escalation to root.

    High

    GKE on AWS

    Updated: 2022-09-14

    Description Severity

    A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node.

    What should I do?

    2022-09-14 Update: The following current and previous generation versions of GKE on AWS have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on AWS versions:

    Current generation

    • 1.23.8-gke.1700
    • 1.22.12-gke.200
    • 1.21.14-gke.2100

    Previous generation

    • 1.23.8-gke.2000
    • 1.22.12-gke.300
    • 1.21.14-gke.2100

    Versions of GKE on AWS that contain patches will be released soon. This security bulletin will be updated when the GKE on AWS versions are available for download.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-2327, the Linux kernel in version 5.10 has a vulnerability in the io_uring subsystem where various requests are missing item types (flags). Using these requests without the proper item types specified can cause privilege escalation to root.

    High

    GKE on Azure

    Updated: 2022-09-14

    Description Severity

    A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node.

    What should I do?

    2022-09-14 Update: The following versions of GKE on Azure have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on Azure versions:

    • 1.23.8-gke.1700
    • 1.22.12-gke.200
    • 1.21.14-gke.2100

    Versions of GKE on Azure that contain patches will be released soon. This security bulletin will be updated when the GKE on Azure versions are available for download.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-2327, the Linux kernel in version 5.10 has a vulnerability in the io_uring subsystem where various requests are missing item types (flags). Using these requests without the proper item types specified can cause privilege escalation to root.

    High

    Google Distributed Cloud Virtual for Bare Metal

    Description Severity

    A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node.

    What should I do?

    There is no action required. Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE as it does not bundle an operating system in its distribution.

    None

    GCP-2022-017

    Published: 2022-06-29
    Updated: 2022-11-22
    Reference: CVE-2022-1786
    2022-11-22 Update: Updated information about workloads using GKE Sandbox.
    2022-07-21 Update: Updated information that GKE on VMware COS images are affected.

    GKE

    Updated: 2022-11-22

    Description Severity

    2022-11-22 update: Workloads using GKE Sandbox are not affected by these vulnerabilities.


    A new vulnerability (CVE-2022-1786) has been discovered in the Linux kernel versions 5.10 and 5.11. This vulnerability allows an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. Only clusters that run Container-Optimized OS are affected. GKE Ubuntu versions use either version 5.4 or 5.15 of the kernel and are not affected.

    What should I do?

    The versions of Linux node images for Container-Optimized OS for the following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node-autoupgrade enabled, we recommend that you manually upgrade your node pools to one of the following upcoming GKE versions:

    • 1.22.10-gke.600
    • 1.23.7-gke.1400
    • 1.24.1-gke.1400

    A recent release channels feature allows you to apply a patch without having to unsubscribe from a channel. This lets you upgrade your nodes to the patched version before that version becomes the default in your selected release channel.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-1786, a use-after-free flaw was found in the Linux kernel's io_uring subsystem. If a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on the ring, a local user can crash or escalate their privileges on the system.

    High

    GKE on VMware

    Updated: 2022-07-14

    Description Severity

    A new vulnerability (CVE-2022-1786) has been discovered in the Linux kernel versions 5.10 and 5.11. This vulnerability allows an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node.

    What should I do?

    2022-07-21 Update: The following versions of GKE on VMware contain code that fixes this vulnerability.

    COS
    • 1.10.5 or later
    • 1.11.2 or later
    • 1.12.0 or later

    Ubuntu

    There is no action required. GKE on VMware does not use the affected versions of the Linux kernel.

    None

    GKE on AWS

    Description Severity

    A new vulnerability (CVE-2022-1786) has been discovered in the Linux kernel versions 5.10 and 5.11. This vulnerability allows an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node.

    What should I do?

    There is no action required. GKE on AWS does not use the affected versions of the Linux kernel.

    None

    GKE on Azure

    Description Severity

    A new vulnerability (CVE-2022-1786) has been discovered in the Linux kernel versions 5.10 and 5.11. This vulnerability allows an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node.

    What should I do?

    There is no action required. GKE on Azure does not use the affected versions of the Linux kernel.

    None

    Google Distributed Cloud Virtual for Bare Metal

    Description Severity

    A new vulnerability (CVE-2022-1786) has been discovered in the Linux kernel versions 5.10 and 5.11. This vulnerability allows an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node.

    What should I do?

    There is no action required. Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE as it does not bundle an operating system in its distribution.

    None

    GCP-2022-016

    Published: 2022-06-23
    Updated: 2022-11-22
    Reference: CVE-2022-29581, CVE-2022-29582, CVE-2022-1116
    2022-11-22 Update: Added information about workloads running in Autopilot clusters.
    2022-07-29 Update: Updated versions for GKE on VMware, GKE on AWS, and GKE on Azure.

    GKE

    Updated: 2022-11-22

    Description Severity

    2022-11-22 update: Autopilot clusters are not affected by CVE-2022-29581 but are vulnerable to CVE-2022-29582 and CVE-2022-1116.


    2022-07-29 update: Pods using GKE Sandbox are not vulnerable to these vulnerabilities.


    Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. All Linux clusters (Container-Optimized OS and Ubuntu) are affected.

    What should I do?

    The versions of Linux node images for both Container-Optimized OS and Ubuntu for the following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your node pools to one of the following GKE versions:

    • Container-Optimized OS:
      • 1.19.16-gke.13800
      • 1.20.15-gke.8000
      • 1.21.12-gke.1500
      • 1.22.9-gke.1300
      • 1.23.6-gke.1500
      • 1.24.1-gke.1400
    • Ubuntu:
      • 1.20.15-gke.9600
      • 1.21.13-gke.900
      • 1.22.10-gke.600
      • 1.23.7-gke.1400
      • 1.24.1-gke.1400

    A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you upgrade your nodes to the patched version before that version becomes the default in your selected release channel.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-29582, the Linux kernel in versions prior to 5.17.3 has a use-after-free due to a race condition in io_uring timeouts.

    CVE-2022-29581 and CVE-2022-1116 are vulnerabilities where a local attacker can cause memory corruption in io_uring or net/sched in the Linux kernel to escalate privileges to root.

    High

    GKE on VMware

    Updated: 2022-07-29

    Description Severity

    2022-07-29 Update: The following versions of GKE on VMware contain code that fixes these vulnerabilities.

    • 1.9.7 or later
    • 1.10.5 or later
    • 1.11.2 or later
    • 1.12.0 or later


    Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. These vulnerabilities affect GKE on VMware v1.9 and later for Container-Optimized OS and Ubuntu images.

    What should I do?

    Versions of GKE on VMware that contain patches will be released soon. This security bulletin will be updated when the GKE on VMware versions are available for download.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-29582, the Linux kernel in versions prior to 5.17.3 has a use-after-free due to a race condition in io_uring timeouts.

    CVE-2022-29581 and CVE-2022-1116 are vulnerabilities where a local attacker can cause memory corruption in io_uring or net/sched in the Linux kernel to escalate privileges to root.

    High

    GKE on AWS

    Updated: 2022-07-29

    Description Severity

    2022-07-29 Update: Update: The following current and previous generation versions of GKE on AWS have been updated with code to fix these vulnerabilities. We recommend that you upgrade your nodes to one of the following GKE on AWS versions:

    Current generation:

    • 1.23.7-gke.1300
    • 1.22.10-gke.1500
    • 1.21.11-gke.1900
    Previous generation:
    • 1.23.7-gke.1500
    • 1.22.10-gke.1500
    • 1.21.13-gke.1600

    Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. These vulnerabilities affect all versions of GKE on AWS.

    What should I do?

    Versions of GKE on AWS that contain patches will be released soon. This security bulletin will be updated when the GKE on AWS versions are available for download.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-29582, the Linux kernel in versions prior to 5.17.3 has a use-after-free due to a race condition in io_uring timeouts.

    CVE-2022-29581 and CVE-2022-1116 are vulnerabilities where a local attacker can cause memory corruption in io_uring or net/sched in the Linux kernel to escalate privileges to root.

    High

    GKE on Azure

    Description Severity

    2022-07-29 Update: Update: The following versions of GKE on Azure have been updated with code to fix these vulnerabilities. We recommend that you upgrade your nodes to one of the following GKE on Azure versions:

    • 1.23.7-gke.1300
    • 1.22.10-gke.1500
    • 1.21.11-gke.1900


    Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. These vulnerabilities affect all versions of GKE on Azure.

    What should I do?

    Versions of GKE on Azure that contain patches will be released soon. This security bulletin will be updated when the GKE on Azure versions are available for download.

    What vulnerabilities are addressed by this patch?

    With CVE-2022-29582, the Linux kernel in versions prior to 5.17.3 has a use-after-free due to a race condition in io_uring timeouts.

    CVE-2022-29581 and CVE-2022-1116 are vulnerabilities where a local attacker can cause memory corruption in io_uring or net/sched in the Linux kernel to escalate privileges to root.

    High

    Google Distributed Cloud Virtual for Bare Metal

    Description Severity

    Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node.

    What should I do?

    There is no action required. Google Distributed Cloud Virtual for Bare Metal is not affected by this vulnerability as it does not bundle an operating system in its distribution.

    None

    GCP-2022-014

    Published: 2022-04-26
    Updated: 2022-11-22
    2022-11-22 Update: Added information about workloads running in Autopilot clusters.
    2022-05-12 Update: Updated patch versions for GKE on AWS and GKE on Azure.
    Reference: CVE-2022-1055, CVE-2022-27666

    GKE

    Updated: 2022-11-22

    Description Severity

    2022-11-22 update: GKE Autopilot clusters and workloads running in GKE Sandbox are unaffected by these vulnerabilities.


    Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu).

    Technical details

    In CVE-2022-1055, an attacker can exploit use-after-free in tc_new_tfilter() which allows a local attacker in the container to escalate privileges to root on node.

    In CVE-2022-27666, buffer overflow in esp/esp6_output_head allows a local attacker in the container to escalate privileges to root on the node.

    What should I do?

    The versions of Linux node images for the following versions of GKE have been updated with code to fix these vulnerabilities. Upgrade your clusters to one of the following upcoming GKE versions:

    • 1.19.16-gke.11000 and later
    • 1.20.15-gke.5200 and later
    • 1.21.11-gke.1100 and later
    • 1.22.8-gke.200 and later
    • 1.23.5-gke.1500 and later

    What vulnerabilities are addressed by this patch?

    High

    GKE on VMware

    Description Severity

    Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu).

    Technical details

    In CVE-2022-1055, an attacker can exploit use-after-free in tc_new_tfilter() which allows a local attacker in the container to escalate privileges to root on node.

    In CVE-2022-27666, buffer overflow in esp/esp6_output_head allows a local attacker in the container to escalate privileges to root on the node.

    What should I do?

    Upgrade your cluster to a patched version. The following GKE on VMware versions or newer contain the fix for this vulnerability:

    • 1.9.6 (upcoming)
    • 1.10.3
    • 1.11.0 (upcoming)

    What vulnerabilities are addressed by this patch?

    High

    GKE on AWS

    Updated: 2022-05-12

    Description Severity

    Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu).

    Technical details

    In CVE-2022-1055, an attacker can exploit use-after-free in tc_new_tfilter() which allows a local attacker in the container to escalate privileges to root on node.

    In CVE-2022-27666, buffer overflow in esp/esp6_output_head allows a local attacker in the container to escalate privileges to root on the node.

    What should I do?

    2022-05-12 Update: The following current and previous generation versions of GKE on AWS have been updated with code to fix these vulnerabilities. We recommend that you upgrade your nodes to one of the following GKE on AWS versions:

    Current generation
    • 1.21.11-gke.1100
    • 1.22.8-gke.1300
    Previous generation
    • 1.20.15-gke.5200
    • 1.21.11-gke.1100
    • 1.22.8-gke.1300

    Upgrade your cluster to a patched version. Patches will be available in an upcoming release. This bulletin will be updated when they are available.

    What vulnerabilities are addressed by this patch?

    High

    GKE on Azure

    Updated: 2022-05-12

    Description Severity

    Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu).

    Technical details

    In CVE-2022-1055, an attacker can exploit use-after-free in tc_new_tfilter() which allows a local attacker in the container to escalate privileges to root on node.

    In CVE-2022-27666, buffer overflow in esp/esp6_output_head allows a local attacker in the container to escalate privileges to root on the node.

    What should I do?

    2022-05-12 Update: The following versions of GKE on Azure have been updated with code to fix these vulnerabilities. We recommend that you upgrade your nodes to one of the following GKE on Azure versions:

    • 1.21.11-gke.1100
    • 1.22.8-gke.1300

    Upgrade your cluster to a patched version. Patches will be available in an upcoming release. This bulletin will be updated when they are available.

    What vulnerabilities are addressed by this patch?

    High

    Google Distributed Cloud Virtual for Bare Metal

    Description Severity

    Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu).

    Technical details

    In CVE-2022-1055, an attacker can exploit use-after-free in tc_new_tfilter() which allows a local attacker in the container to escalate privileges to root on node.

    In CVE-2022-27666, buffer overflow in esp/esp6_output_head allows a local attacker in the container to escalate privileges to root on the node.

    What should I do?

    There is no action required. Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE as it does not include Linux as part of its package. You should ensure that the node images you use are updated to versions that contain the fix for CVE-2022-1055 and CVE-2022-27666.

    What vulnerabilities are addressed by this patch?