Security bulletins

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-45016

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.16-gke.1478000
• 1.28.14-gke.1099000
• 1.29.9-gke.1177000
• 1.30.5-gke.1145000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-45016

What should I do?

2024-10-15 Update: The following versions of GDC (VMware) are updated with code to fix this vulnerability. Upgrade your GDC (VMware) clusters to the following versions or later:

• 1.30.100-gke.96
• 1.29.600-gke.109
• 1.28.1000-gke.59

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-45016

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-45016

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-45016

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it.

GKE does not use the CUPS printing system and is not affected.

What should I do?

No action required

A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it.

GDC software for VMware does not use the CUPS printing system and is not affected.

What should I do?

No action required

A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it.

GKE on AWS does not use the CUPS printing system and is not affected.

What should I do?

No action required

A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it.

GKE on Azure does not use the CUPS printing system and is not affected.

What should I do?

No action required

A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it.

GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

What should I do?

No action required

A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and AUTHORITY\Authenticated Users may be able to modify container logs.

Any Kubernetes environment with Windows nodes is affected. Run kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.

Affected GKE versions

• 1.27.15 and earlier
• 1.28.11 and earlier
• 1.29.6 and earlier
• 1.30.2 and earlier

What should I do?

The following versions of GKE have been updated to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions or later:

• 1.27.16-gke.1008000
• 1.28.12-gke.1052000
• 1.29.7-gke.1008000
• 1.30.3-gke.1225000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

What vulnerabilities are being addressed?

CVE-2024-5321

A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and AUTHORITY\Authenticated Users may be able to modify container logs.

Any Kubernetes environment with Windows nodes is affected. Run kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.

What should I do?

Patch versions for GDC software for VMware are in progress. We'll update this bulletin with that information when it's available.

What vulnerabilities are being addressed?

CVE-2024-5321

A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and AUTHORITY\Authenticated Users may be able to modify container logs.

GKE on AWS clusters do not support Windows nodes and are not affected.

What should I do?

No action required

A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and AUTHORITY\Authenticated Users may be able to modify container logs.

GKE on Azure clusters do not support Windows nodes and are not affected.

What should I do?

No action required

A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and AUTHORITY\Authenticated Users may be able to modify container logs.

GDC software for bare metal clusters do not support Windows nodes and are not affected.

What should I do?

No action required

A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host.

What should I do?

GKE does not support IPv6 on windows and is not affected by this CVE. No action is required.

A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host.

What should I do?

GDC software for VMware does not support IPv6 on windows and is not affected by this CVE. No action is required.

A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host.

What should I do?

GKE on AWS is not affected by this CVE. No action is required.

A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host.

What should I do?

GKE on Azure is not affected by this CVE. No action is required.

A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host.

What should I do?

GDC (bare metal) isn't affected by this CVE. No action is required.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36978

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-11-01 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1576000
• 1.28.14-gke.1175000
• 1.29.9-gke.1341000
• 1.30.5-gke.1355000
• 1.31.1-gke.1678000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.16-gke.1008000
• 1.28.12-gke.1052000
• 1.29.7-gke.1008000
• 1.30.3-gke.1225000
• 1.31.0-gke.1058000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36978

What should I do?

2024-10-21 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.28.1100-gke.91
• 1.30.200-gke.101
• 1.29.600-gke.109

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36978

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36978

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36978

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-41009

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-10-30 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1576000
• 1.28.14-gke.1175000
• 1.29.9-gke.1341000
• 1.30.5-gke.1355000
• 1.31.1-gke.1678000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.16-gke.1008000
• 1.28.12-gke.1052000
• 1.29.7-gke.1008000
• 1.30.3-gke.1225000
• 1.31.0-gke.1058000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-41009

What should I do?

2024-10-25 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.29.700-gke.110
• 1.28.1100-gke.91
• 1.30.200-gke.101

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-41009

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-41009

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-41009

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-39503

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-10-30 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1576000
• 1.28.14-gke.1175000
• 1.29.9-gke.1341000
• 1.30.5-gke.1355000
• 1.31.1-gke.1678000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.15-gke.1125000
• 1.28.11-gke.1170000
• 1.29.6-gke.1137000
• 1.30.3-gke.1225000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-39503

What should I do?

2024-10-21 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.30.200-gke.101
• 1.29.600-gke.109
• 1.28.1100-gke.91

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-39503

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-39503

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-39503

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26925

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-08-21 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1051000
• 1.28.12-gke.1052000
• 1.29.7-gke.1174000
• 1.30.3-gke.1225000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.14-gke.1093000
• 1.28.10-gke.1141000
• 1.29.5-gke.1192000
• 1.30.2-gke.1394000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26925

What should I do?

2024-09-19 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.29.400
• 1.28.900

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26925

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26925

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26925

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36972

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-10-30 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1576000
• 1.28.14-gke.1175000
• 1.29.9-gke.1341000
• 1.30.5-gke.1355000
• 1.31.1-gke.1678000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.14-gke.1093000
• 1.28.10-gke.1141000
• 1.29.5-gke.1192000
• 1.30.2-gke.1394000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36972

What should I do?

2024-10-21 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.30.200-gke.101
• 1.29.600-gke.109
• 1.28.1100-gke.91

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36972

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36972

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-36972

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26921

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-10-02 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1287000
• 1.28.13-gke.1042000
• 1.29.8-gke.1096000
• 1.30.4-gke.1476000
• 1.30.4-gke.1476000
• 1.31.0-gke.1577000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.26.15-gke.1360000
• 1.27.14-gke.1022000
• 1.28.9-gke.1209000
• 1.29.4-gke.1542000
• 1.30.2-gke.1394000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26921

What should I do?

2024-09-20 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.30.200
• 1.29.500
• 1.28.1000

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26921

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26921

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26921

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

2024-07-18 Update: The original version of this bulletin incorrectly stated that Autopilot clusters were impacted. Autopilot clusters in the default configuration aren't impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow the CAP_NET_ADMIN capability.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26809

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.13-gke.1166000
• 1.28.9-gke.1209000
• 1.29.4-gke.1542000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.26.15-gke.1469000
• 1.27.14-gke.1100000
• 1.28.10-gke.1148000
• 1.29.6-gke.1038000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26809

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26809

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26809

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26809

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52654
• CVE-2023-52656

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-07-19 Update: The following versions of GKE contain code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.26.15-gke.1469000
• 1.27.14-gke.1100000
• 1.28.10-gke.1148000
• 1.29.6-gke.1038000
• 1.30.2-gke.1394000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.26.15-gke.1300000
• 1.27.13-gke.1166000
• 1.28.9-gke.1209000
• 1.29.4-gke.1542000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52654
• CVE-2023-52656

What should I do?

2024-09-16 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.29.200
• 1.28.700
• 1.16.11

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52654
• CVE-2023-52656

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52654
• CVE-2023-52656

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52654
• CVE-2023-52656

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

2024-07-03 Update: An expedited rollout is in progress and is expected to make new patch versions available across all zones by July 3, 2024 at 5 PM US and Canadian Pacific Daylight Time (UTC-7). To get a notification as soon as a patch is available for your specific cluster, use cluster notifications.

2024-07-02 Update: This vulnerability affects both Autopilot mode and Standard mode clusters. Each section that follows will tell you the modes to which that section applies.

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts.

All supported versions of Container Optimized OS and Ubuntu images on GKE run versions of OpenSSH that are vulnerable to this issue.

GKE clusters with public node IP addresses and SSH exposed to the Internet should be treated with the highest priority for mitigation.

The GKE control plane is not vulnerable to this issue.

What should I do?

2024-07-03 Update: Patch versions for GKE

An expedited rollout is in progress and is expected to make new patch versions available across all zones by July 3, 2024 at 5 PM US and Canadian Pacific Daylight Time (UTC-7).

Clusters and nodes with autoupgrade enabled will begin upgrading as the week progresses, but due to the severity of the vulnerability we recommend upgrading manually as follows to get patches as fast as possible.

For both Autopilot and Standard clusters, upgrade your control plane to a patched version. Additionally, for Standard mode clusters, upgrade your node pools to a patched version. Autopilot clusters will begin upgrading your nodes to match the control plane version as soon as possible.

Patched GKE versions are available for every supported version to minimize the changes necessary to apply the patch. The version number of each new version is an increment on the final digit in the version number of a corresponding existing version. For example, if you are on 1.27.14-gke.1100000, you will upgrade to 1.27.14-gke.1100002 to get the fix with the smallest possible change. The following patched GKE versions are available:

• 1.26.15-gke.1090004
• 1.26.15-gke.1191001
• 1.26.15-gke.1300001
• 1.26.15-gke.1320002
• 1.26.15-gke.1381001
• 1.26.15-gke.1390001
• 1.26.15-gke.1404002
• 1.26.15-gke.1469001
• 1.27.13-gke.1070002
• 1.27.13-gke.1166001
• 1.27.13-gke.1201002
• 1.27.14-gke.1022001
• 1.27.14-gke.1042001
• 1.27.14-gke.1059002
• 1.27.14-gke.1100002
• 1.27.15-gke.1012003
• 1.28.9-gke.1069002
• 1.28.9-gke.1209001
• 1.28.9-gke.1289002
• 1.28.10-gke.1058001
• 1.28.10-gke.1075001
• 1.28.10-gke.1089002
• 1.28.10-gke.1148001
• 1.28.11-gke.1019001
• 1.29.4-gke.1043004
• 1.29.5-gke.1060001
• 1.29.5-gke.1091002
• 1.29.6-gke.1038001
• 1.30.1-gke.1329003
• 1.30.2-gke.1023004

To check whether a patch is available in your cluster zone or region, run the following command:

gcloud container get-server-config --location=LOCATION

Replace LOCATION with your zone or region.

2024-07-02 Update: Both Autopilot mode and Standard mode clusters should be upgraded as soon as possible after patch versions are available.

A patched GKE version that includes an updated OpenSSH will be made available as soon as possible. This bulletin will be updated when patches are available. To receive a Pub/Sub notification when a patch is available for your channel, enable cluster notifications. We recommend working through the following steps to check your cluster's exposure, and applying the mitigations described, as necessary.

Determine whether your nodes have public IP addresses

2024-07-02 Update: This section applies to both Autopilot and Standard clusters.

If a cluster is created with enable-private-nodes, nodes will be private, which mitigates the vulnerability by removing exposure to the Internet. Run the following command to determine if your cluster has private nodes enabled:

gcloud container clusters describe $CLUSTER_NAME \
--format="value(privateClusterConfig.enablePrivateNodes)"

If the return value is True, all nodes are private nodes for this cluster and the vulnerability is mitigated. If the value is empty or false, continue on to apply one of the mitigations in the following sections.

To find all clusters originally created with public nodes, use this Cloud Asset Inventory query in the project or organization:

SELECT
  resource.data.name AS cluster_name,
  resource.parent AS project_name,
  resource.data.privateClusterConfig.enablePrivateNodes
FROM
  `container_googleapis_com_Cluster`
WHERE
  resource.data.privateClusterConfig.enablePrivateNodes is null OR
  resource.data.privateClusterConfig.enablePrivateNodes = false

Disallow SSH to the cluster nodes

2024-07-02 Update: This section applies to both Autopilot and Standard clusters.

The default network is pre-populated with a default-allow-ssh firewall rule to allow SSH access from the public Internet. To remove this access, you can:

• Optionally create rules to allow any SSH access you need from trusted networks to GKE nodes or other Compute Engine VMs in the project.
• Disable the default firewall rule with the following command:
  gcloud compute firewall-rules update default-allow-ssh --disabled --project=$PROJECT

If you have created any other firewall rules that may allow SSH through TCP on port 22, disable them, or limit the source IPs to trusted networks.

Verify that you can no longer SSH to the cluster nodes from the Internet. This firewall configuration mitigates the vulnerability.

Convert public node pools to private

2024-07-02 Update: For Autopilot clusters originally created as public clusters, you can place your workloads on private nodes by using nodeSelectors. However, Autopilot nodes that run system workloads on clusters that were originally created as public clusters will still be public nodes and should be protected by using the firewall changes described in the preceding section.

To best protect clusters originally created with public nodes, we recommend first disallowing SSH through the firewall as already described. If you are not able to disallow SSH through the firewall rules, you can convert public node pools on GKE Standard clusters to private by following this guidance to isolate node pools.

Change SSHD configuration

2024-07-02 Update: This section only applies to Standard clusters. Autopilot workloads aren't allowed to modify node configuration.

If none of these mitigations can be applied, we have also published a daemonset that sets SSHD LoginGraceTime to zero, and restarts the SSH daemon. This daemonset can be applied to the cluster to mitigate the attack. Note that this configuration may increase the risk of denial of service attacks and may cause issues with legitimate SSH access. This daemonset should be removed after a patch has been applied.

2024-07-11 Update: The following versions of GDC software for VMware have been updated with code to fix this vulnerability. Upgrade your admin workstation, admin clusters, and user clusters (including node pools) to one of the following versions or later. For instructions, see Upgrade a cluster or node pool.

• 1.16.10-gke.36
• 1.28.700-gke.151
• 1.29.200-gke.245

The 2024-07-02 update to this bulletin incorrectly stated that all supported versions of Ubuntu images on GDC software for VMware run versions of OpenSSH that are vulnerable to this issue. Ubuntu images on GDC software for VMware version 1.16 clusters run versions of OpenSSH that are not vulnerable to this issue. Ubuntu images in GDC software for VMware 1.28 and 1.29 are vulnerable. Container-Optimized OS images on all supported versions of GDC software for VMware are vulnerable to this issue.

2024-07-02 Update: All supported versions of Container-Optimized OS and Ubuntu images on GDC software for VMware run versions of OpenSSH that are vulnerable to this issue.

GDC software for VMware clusters with public node IP addresses and SSH exposed to the Internet should be treated with the highest priority for mitigation.

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts.

What should I do?

2024-07-02 Update: A patched GDC software for VMware version that includes an updated OpenSSH will be made available as soon as possible. This bulletin will be updated when patches are available. We recommend that you apply the following mitigations as necessary.

Disallow SSH to the cluster nodes

You can change your infrastructure network setup to disallow SSH connectivity from untrusted sources, such as the public Internet.

Change sshd configuration

If you can't apply the preceding mitigation, we have published a DaemonSet that sets the sshd LoginGraceTime to zero and restarts the SSH daemon. This DaemonSet can be applied to the cluster to mitigate the attack. Note that this configuration might increase the risk of denial of service attacks and might cause issues with legitimate SSH access. Remove this DaemonSet after a patch has been applied.

2024-07-11 Update: The following versions of GKE on AWS have been updated with code to fix this vulnerability:

• 1.27.14-gke.1200
• 1.28.10-gke.1300
• 1.29.5-gke.1100

Upgrade your GKE on AWS control plane and node pools to one of these patched versions or later. For instructions, see Upgrade your AWS cluster version and Update a node pool.

2024-07-02 Update: All supported versions of Ubuntu images on GKE on AWS run versions of OpenSSH that are vulnerable to this issue.

GKE on AWS clusters with public node IP addresses and SSH exposed to the Internet should be treated with the highest priority for mitigation.

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts.

What should I do?

2024-07-02 Update: A patched GKE on AWS version that includes an updated OpenSSH will be made available as soon as possible. This bulletin will be updated when patches are available. We recommend that you work through the following steps to check your cluster's exposure, and apply the described mitigations as necessary.

Determine whether your nodes have public IP addresses

GKE on AWS doesn't provision any machine with either public IP addresses or with firewall rules that allow traffic to port 22 by default. However, depending on your subnet configuration, machines can automatically get a public IP address during provisioning.

To check whether nodes are provisioned with public IP addresses, look at the configuration of the subnet that's associated with your AWS node pool resource.

Disallow SSH to the cluster nodes

Even though GKE on AWS doesn't allow traffic on port 22 on any node by default, customers can attach additional security groups to node pools, enabling inbound SSH traffic.

We recommend that you remove or scope down corresponding rules from the provided security groups.

Convert public node pools to private

To best protect clusters with public nodes, we recommend first disallowing SSH through your security group, as described in the previous section. If you can't disallow SSH through the security group rules, you can convert public node pools to private by disabling the option to automatically assign public IPs to machines within a subnet and reprovisioning the node pool.

2024-07-11 Update: The following versions of GKE on Azure have been updated with code to fix this vulnerability:

• 1.27.14-gke.1200
• 1.28.10-gke.1300
• 1.29.5-gke.1100

Upgrade your GKE on Azure control plane and node pools to one of these patched versions or later. For instructions, see Upgrade your Azure cluster version and Update a node pool.

2024-07-02 Update: All supported versions of Ubuntu images on GKE on Azure run versions of OpenSSH that are vulnerable to this issue.

GKE on Azure clusters with public node IP addresses and SSH exposed to the Internet should be treated with the highest priority for mitigation.

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts.

What should I do?

2024-07-02 Update: A patched GKE on Azure version that includes an updated OpenSSH will be made available as soon as possible. This bulletin will be updated when patches are available. We recommend that you work through the following steps to check your cluster's exposure, and apply the described mitigations as necessary.

Determine whether your nodes have public IP addresses

GKE on Azure doesn't provision any machine with either public IP addresses or with firewall rules that allow traffic to port 22 by default. To review your Azure configuration to check whether there are any public IP addresses configured on your GKE on Azure cluster, run the following command:

az network public-ip list -g CLUSTER_RESOURCE_GROUP_NAME -o tsv

Disallow SSH to the cluster nodes

Even though GKE on Azure doesn't allow traffic on port 22 on any node by default, customers can update NetworkSecurityGroup rules to node pools, enabling inbound SSH traffic from the public internet.

We strongly recommend that you review the Network Security Groups (NSGs) associated with your Kubernetes clusters. If an NSG rule exists that allows unrestricted inbound traffic on port 22 (SSH), do one of the following:

• Remove the rule entirely: If SSH access to the cluster nodes isn't required from the internet, remove the rule to eliminate potential attack vectors.
• Scope down the rule: Restrict inbound access on port 22 to only the specific IP addresses or ranges that require it. This minimizes the exposed surface for potential attacks.

Convert public node pools to private

To best protect clusters with public nodes, we recommend first disallowing SSH through your security group, as described in the previous section. If you can't disallow SSH through the security group rules, you can convert public node pools to private by removing the public IP addresses associated with the VMs.

To remove a public IP address from a VM and replace it with a private IP address configuration, see Dissociate a public IP address from a an Azure VM.

Impact: Any existing connections using the public IP address will be disrupted. Ensure that you have alternative access methods in place, like a VPN or Azure Bastion.

2024-07-02 Update: The original version of this bulletin for GDC software for bare metal incorrectly stated that patch versions were in progress. GDC software for bare metal is not directly affected because it doesn't manage the operating system SSH daemon or configuration. Patch versions are therefore the responsibility of the operating system provider, as described in the What should I do? section.

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts.

What should I do?

2024-07-02 Update: Contact your OS provider to obtain a patch for the operating systems in use with GDC software for bare metal.

Until you've applied the OS vendor patch, ensure that public reachable machines don't allow SSH connections from the internet. If that isn't possible, an alternative is to set the LoginGraceTime to zero and restart the sshd server:

grep "^LoginGraceTime" /etc/ssh/sshd_config
            LoginGraceTime 0

Note that this configuration change might increase the risk of denial of service attacks and may cause issues with legitimate SSH access.

Original 2024-07-01 text (see the preceding 2024-07-02 update for a correction):

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26923

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-08-20 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1051000
• 1.28.12-gke.1052000
• 1.29.7-gke.1174000
• 1.30.3-gke.1225000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.26.15-gke.1360000
• 1.27.14-gke.1022000
• 1.28.9-gke.1289000
• 1.29.5-gke.1010000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26923

What should I do?

2024-09-25 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.29.400
• 1.28.900

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26923

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26923

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26923

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26924

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-08-06 Update: Added patch versions for Ubuntu node pools on GKE.

The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.15-gke.1252000
• 1.28.11-gke.1260000
• 1.29.6-gke.1326000
• 1.30.2-gke.1394003

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.26.15-gke.1360000
• 1.27.14-gke.1022000
• 1.28.9-gke.1289000
• 1.29.5-gke.1010000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26924

What should I do?

2024-09-17 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.29.400
• 1.28.800
• 1.16.11

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26924

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26924

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26924

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26584

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.28.9-gke.1209000
• 1.29.4-gke.1542000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26584

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26584

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26584

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26584

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26584

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-07-18 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.26.15-gke.1469000
• 1.27.14-gke.1100000
• 1.28.10-gke.1148000
• 1.29.6-gke.1038000
• 1.30.2-gke.1394000

The following version of GKE is updated with code to fix this vulnerability on Container-Optimized OS. Upgrade your Container-Optimized OS node pools to the following patch version or later:

• 1.27.15-gke.1125000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.28.9-gke.1209000
• 1.29.4-gke.1542000

The following minor versions are affected but don't have a patch version available. We'll update this bulletin when patch versions are available:

• 1.26
• 1.27

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26584

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26584

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26584

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26584

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26583

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-07-10 Update: The following versions of GKE are updated with code to fix this vulnerability. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.26.15-gke.1444000
• 1.27.14-gke.1096000
• 1.28.10-gke.1148000
• 1.29.5-gke.1041001
• 1.30.1-gke.1156001

For minor versions 1.26 and 1.27, upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.26.15-gke.1404002
• 1.27.14-gke.1059002

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.28.8-gke.1095000
• 1.29.3-gke.1093000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26583

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26583

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26583

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-26583

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2022-23222

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.26.15-gke.1381000
• 1.27.14-gke.1022000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2022-23222

What should I do?

2024-09-26 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.28.900-gke.113
• 1.29.400-gke.8

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2022-23222

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2022-23222

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2022-23222

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected.

GKE doesn't use a vulnerable version of Fluent Bit, and is unaffected.

What should I do?

GKE isn't affected by this vulnerability. No action is required.

A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected.

GKE on VMware doesn't use a vulnerable version of Fluent Bit, and is unaffected.

What should I do?

GKE on VMware isn't affected by this vulnerability. No action is required.

A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected.

GKE on AWS doesn't use a vulnerable version of Fluent Bit, and is unaffected.

What should I do?

GKE on AWS isn't affected by this vulnerability. No action is required.

A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected.

GKE on Azure doesn't use a vulnerable version of Fluent Bit, and is unaffected.

What should I do?

GKE on Azure isn't affected by this vulnerability. No action is required.

A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected.

GKE on Bare Metal doesn't use a vulnerable version of Fluent Bit, and is unaffected.

What should I do?

GKE on Bare Metal isn't affected by this vulnerability. No action is required.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52620

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-07-18 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.26.15-gke.1469000
• 1.27.14-gke.1100000
• 1.28.10-gke.1148000
• 1.29.6-gke.1038000
• 1.30.2-gke.1394000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.13-gke.1166000
• 1.28.8-gke.1095000
• 1.29.3-gke.1093000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52620

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52620

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52620

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-52620

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26642

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-08-19 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.16-gke.1051000
• 1.28.12-gke.1052000
• 1.29.7-gke.1174000
• 1.30.3-gke.1225000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.13-gke.1166000
• 1.28.8-gke.1095000
• 1.29.3-gke.1093000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26642

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26642

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26642

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26642

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26581

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-05-22 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.26.15-gke.1300000
• 1.27.13-gke.1011000
• 1.28.9-gke.1209000
• 1.29.4-gke.1542000
• 1.30.0-gke.1712000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.25.16-gke.1596000
• 1.26.14-gke.1076000
• 1.27.11-gke.1202000
• 1.28.8-gke.1095000
• 1.29.3-gke.1093000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.26.15-gke.1300000
• 1.28.9-gke.1209000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26581

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26581

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26581

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26581

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26808

2024-05-09 Update: Corrected severity from Medium to High. The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-05-15 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.26.15-gke.1323000
• 1.27.13-gke.1206000
• 1.28.10-gke.1000000
• 1.29.3-gke.1282004
• 1.30.0-gke.1584000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.8-gke.1067000
• 1.28.8-gke.1095000
• 1.29.3-gke.1093000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26808

What should I do?

2024-09-25 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.28.600
• 1.16.9

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26808

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26808

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26808

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

2024-05-09 Update: Corrected severity from Medium to High.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26643

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-08-06 Update: Added patch versions for Ubuntu node pools on GKE.

The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.27.15-gke.1252000
• 1.28.11-gke.1260000
• 1.29.6-gke.1326000
• 1.30.2-gke.1394003

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.8-gke.1067000
• 1.28.8-gke.1095000
• 1.29.3-gke.1093000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26643

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26643

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26643

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26643

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26585

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-07-18 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.26.15-gke.1469000
• 1.27.14-gke.1100000
• 1.28.10-gke.1148000
• 1.29.6-gke.1038000
• 1.30.2-gke.1394000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.25.16-gke.1759000
• 1.26.15-gke.1158000
• 1.27.12-gke.1190000
• 1.28.8-gke.1175000
• 1.29.3-gke.1282000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26585

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26585

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26585

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-26585

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. GKE clusters with authorized networks configured are protected by limiting network access, but all other clusters are affected.

GKE Autopilot and Standard clusters are affected.

What should I do?

2024-04-24 Update: Added patch versions for GKE.

The following versions of GKE include the Golang security patches to fix this vulnerability. Upgrade your GKE clusters to the following versions or later:

• 1.25.16-gke.1759000
• 1.26.15-gke.1158000
• 1.27.12-gke.1190000
• 1.28.8-gke.1175000
• 1.29.3-gke.1282000

The golang project released patches on April 3, 2024. We'll update this bulletin when GKE versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

Mitigate by configuring authorized networks for control plane access:

You can mitigate your clusters from this class of attacks by configuring authorized networks. Follow the instructions to enable authorized networks for an existing cluster.

To learn more about how authorized networks control access to the control plane, see How authorized networks work. To see the default authorized network access, view the table in the Access to control plane endpoints section.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane.

What should I do?

2024-07-17 Update: Added patch versions for GKE on VMware.

The following versions of GKE on VMware include code to fix this vulnerability. Upgrade your GKE on VMware clusters to the following versions or later:

• 1.29.0
• 1.28.500
• 1.16.8

The golang project released patches on April 3, 2024. We'll update this bulletin when GKE on VMware versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane.

What should I do?

The golang project released patches on April 3, 2024. We'll update this bulletin when GKE on AWS versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane.

What should I do?

The golang project released patches on April 3, 2024. We'll update this bulletin when GKE on Azure versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane.

What should I do?

2024-07-09 Update: Added patch versions for GKE on Bare Metal.

The following versions of GKE on Bare Metal include code to fix this vulnerability. Upgrade your GKE on Bare Metal clusters to the following versions or later:

• 1.29.100
• 1.28.600
• 1.16.9

The golang project released patches on April 3, 2024. We'll update this bulletin when GKE on Bare Metal versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-1085

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-05-06 Update: The following versions of GKE are updated with code to fix this vulnerability in Ubuntu. Upgrade your Ubuntu node pools to the following versions or later.

• 1.26.15-gke.1158000
• 1.27.12-gke.1190000
• 1.28.8-gke.1175000
• 1.29.3-gke.1093000

2024-04-04 Update: Corrected minimum versions for GKE Container-Optimized OS node pools.

The minimum GKE versions containing the Container-Optimized OS fixes listed previously were incorrect. The following versions of GKE are updated with code to fix this vulnerability on Container-Optimized OS. Upgrade your Container-Optimized OS node pools to the following versions or later:

• 1.25.16-gke.1520000
• 1.26.13-gke.1221000
• 1.27.10-gke.1243000
• 1.28.8-gke.1083000
• 1.29.3-gke.1054000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.25.16-gke.1518000
• 1.26.13-gke.1219000
• 1.27.10-gke.1240000
• 1.28.6-gke.1433000
• 1.29.1-gke.1716000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-1085

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-1085

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-1085

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-1085

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3611

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1021001
• 1.27.3-gke.1001002

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1021001
• 1.27.3-gke.1001002

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3611

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3611

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3611

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3611

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3776

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1014001
• 1.27.3-gke.1001002
• 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1021001
• 1.27.3-gke.1001002

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3776

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3776

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3776

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3776

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3610

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.3-gke.1001002
• 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1021001
• 1.27.3-gke.1001002

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3610

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3610

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3610

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-3610

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-0193

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.10-gke.1149000
• 1.28.6-gke.1274000
• 1.29.1-gke.1388000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.25.16-gke.1412001
• 1.26.6-gke.1017002
• 1.27.10-gke.1055001
• 1.28.6-gke.1276000
• 1.29.1-gke.1392000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-0193

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-0193

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-0193

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2024-0193

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-6932

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.17-gke.2364001
• 1.25.16-gke.1229000
• 1.26.6-gke.1017002
• 1.27.3-gke.1001003
• 1.28.5-gke.1194000
• 1.29.0-gke.1340000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.25.16-gke.1412001
• 1.26.6-gke.1017002
• 1.27.10-gke.1055001
• 1.28.6-gke.1276000
• 1.29.1-gke.1221000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-6932

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-6932

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-6932

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2023-6932

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6931

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.17-gke.2364001
• 1.25.16-gke.1229000
• 1.26.6-gke.1017002
• 1.27.3-gke.1001003
• 1.28.5-gke.1194000
• 1.29.0-gke.1340000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.25.16-gke.1412001
• 1.26.6-gke.1017002
• 1.27.10-gke.1055001
• 1.28.6-gke.1276000
• 1.29.1-gke.1221000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6931

What should I do?

2024-04-17 Update: Added patch versions for GKE on VMware.

The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later:

• 1.28.200
• 1.16.6
• 1.15.10

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6931

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6931

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6931

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE Standard clusters running Windows Server nodes and using an in-tree storage plugin might be affected.

GKE Autopilot clusters and GKE node pools using GKE Sandbox are not affected because they do not support Windows Server nodes.

What should I do?

Determine if you have Windows Server nodes in use on your clusters:

kubectl get nodes -l kubernetes.io/os=windows

Check audit logs for evidence of exploitation. Kubernetes audit logs can be audited to determine if this vulnerability is being exploited. Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation.

Update your GKE cluster and node pools to a patched version. The following versions of GKE have been updated to fix this vulnerability. Even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Windows Server node pools to one of the following GKE versions or later:

• 1.24.17-gke.6100
• 1.25.15-gke.2000
• 1.26.10-gke.2000
• 1.27.7-gke.2000
• 1.28.3-gke.1600

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

What vulnerabilities are addressed by this patch?

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on VMware clusters running Windows Server nodes and using an in-tree storage plugin might be affected.

What should I do?

Determine if you have Windows Server nodes in use on your clusters:

kubectl get nodes -l kubernetes.io/os=windows

Check audit logs for evidence of exploitation. Kubernetes audit logs can be audited to determine if this vulnerability is being exploited. Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation.

Update your GKE on VMware cluster and node pools to a patched version. The following versions of GKE on VMware have been updated to fix this vulnerability. Even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Windows Server node pools to one of the following GKE on VMware versions or later:

• 1.28.100-gke.131
• 1.16.5-gke.28
• 1.15.8-gke.41

What vulnerabilities are addressed by this patch?

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on AWS clusters aren't affected.

What should I do?

No action required

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on Azure clusters aren't affected.

What should I do?

No action required

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on Bare Metal clusters aren't affected.

What should I do?

No action required

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-02-28 Update: The following versions of GKE have been updated with code to fix this vulnerability in Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.25.16-gke.1537000
• 1.26.14-gke.1006000

2024-02-15 Update: Due to an issue, the following Ubuntu patch versions from the 2024-02-14 update might cause your nodes to enter an unhealthy state. Don't upgrade to the following patch versions. We'll update this bulletin when newer patch versions for Ubuntu are available for 1.25 and 1.26.

• 1.25.16-gke.1497000
• 1.26.13-gke.1189000

If you already upgraded to one of these patch versions, manually downgrade your node pool to an earlier version in your release channel.

2024-02-14 Update: The following versions of GKE have been updated with code to fix this vulnerability in Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.25.16-gke.1497000
• 1.26.13-gke.1189000
• 1.27.10-gke.1207000
• 1.28.6-gke.1369000
• 1.29.1-gke.1575000

2024-02-06 Update: The following versions of GKE have been updated with code to fix this vulnerability in Container-Optimized OS. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Container-Optimized OS node pools to one of the following GKE versions or later:

• 1.25.16-gke.1460000
• 1.26.13-gke.1144000
• 1.27.10-gke.1152000
• 1.28.6-gke.1289000
• 1.29.1-gke.1425000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

We're updating GKE with code to fix this vulnerability. We'll update this bulletin when patch versions are available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

What should I do?

2024-03-06 Update: The following versions of GKE on VMware have been updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later:

• 1.28.200
• 1.16.6
• 1.15.9

Patch versions and a severity assessment for GKE on VMware are in progress. We'll update this bulletin with that information when it's available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

What should I do?

2024-05-06 Update: The following versions of GKE on AWS have been updated with patches for CVE-2024-21626:

• 1.28.5-gke.1200
• 1.27.10-gke.500
• 1.26.13-gke.400

Patch versions and a severity assessment for GKE on AWS are in progress. We'll update this bulletin with that information when it's available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

What should I do?

2024-05-06 Update: The following versions of GKE on Azure have been updated with patches for CVE-2024-21626:

• 1.28.5-gke.1200
• 1.27.10-gke.500
• 1.26.13-gke.400

Patch versions and a severity assessment for GKE on Azure are in progress. We'll update this bulletin with that information when it's available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods might be able to gain full access to the node filesystem.

What should I do?

2024-04-02 Update: The following versions of GKE on Bare Metal have been updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later:

• 1.28.200-gke.118
• 1.16.6
• 1.15.10

Patch versions and a severity assessment for GKE on Bare Metal are in progress. We'll update this bulletin with that information when it's available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container's final working directory was inside the container's mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node's host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6817

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-02-07 Update: The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.25.16-gke.1458000
• 1.26.13-gke.1143000
• 1.27.10-gke.1152000
• 1.28.6-gke.1276000
• 1.29.1-gke.1221000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.25.16-gke.1229000
• 1.26.12-gke.1087000
• 1.27.3-gke.1001003
• 1.28.5-gke.1194000
• 1.29.0-gke.1340000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6817

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6817

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6817

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-6817

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

2024-01-26 Update: Security research that found a small number of GKE clusters with a customer-created misconfiguration involving the system:authenticated group has now been published. The researcher's blog post refers to 1,300 clusters with some misconfigured bindings, and 108 with high privileges. We have worked closely with impacted customers to notify them and assist with removing their misconfigured bindings.

We have identified several clusters where users have granted Kubernetes privileges to the system:authenticated group, which includes all users with a Google account. These types of bindings are not recommended, as they violate the principle of least privilege and grant access to very large groups of users. See guidance under 'What should I do' for instructions on how to find these types of bindings.

Recently, a security researcher reported findings of clusters with RBAC misconfigurations through our vulnerability reporting program.

Google's approach to authentication is to make authenticating to Google Cloud and GKE as simple and secure as possible without adding complex configuration steps. Authentication just tells us who the user is; Authorization is where access is determined. So the system:authenticated group in GKE that contains all users authenticated through Google's identity provider is working as intended and functions in the same way as the IAM allAuthenticatedUsers identifier.

With this in mind we've taken several steps to reduce the risk of users making authorization errors with the Kubernetes built-in users and groups, including system:anonymous, system:authenticated, and system:unauthenticated. All of these users/groups represent a risk to the cluster if granted permissions. We discussed some of the attacker activity targeting RBAC misconfigurations and available defenses at Kubecon in November 2023.

To protect users from accidental authorization errors with these system users/groups, we have:

• By default blocked new bindings of the highly privileged ClusterRole cluster-admin to User system:anonymous, Group system:authenticated, or Group system:unauthenticated in GKE version 1.28.
• Built detection rules into Event Threat Detection (GKE_CONTROL_PLANE_CREATE_SENSITIVE_BINDING) as part of Security Command Center.
• Built configurable prevention rules into Policy Controller with K8sRestrictRoleBindings.
• Sent email notifications to all GKE users with bindings to these users/groups asking them to review their configuration.
• Built network authorization features and made recommendations to restrict network access to clusters as a first layer of defense.
• Raised awareness about this issue through a talk at Kubecon in November 2023.

Clusters that apply authorized networks restrictions have a first layer of defense: they cannot be attacked directly from the Internet. But we still recommend removing these bindings for defense in depth and to guard against errors in network controls.
Note there are a number of cases where bindings to Kubernetes system users or groups are used intentionally: e.g. for kubeadm bootstrapping, the Rancher dashboard and Bitnami sealed secrets. We have confirmed with those software vendors that those bindings are working as intended.

We are investigating ways we can further protect against user RBAC misconfiguration with these system users/groups through prevention and detection.

What should I do?

To prevent any new bindings of cluster-admin to User system:anonymous, Group system:authenticated, or Group system:unauthenticated users can upgrade to GKE v1.28 or later (release notes), where creation of those bindings are blocked.

Existing bindings should be reviewed following this guidance.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

• CVE-2023-6111

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.7-gke.1063001
• 1.28.5-gke.1194000
• 1.29.0-gke.1340000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

• CVE-2023-6111

What should I do?

2024-02-20 Update: The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later: 1.28.100

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

• CVE-2023-6111

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

• CVE-2023-6111

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.

• CVE-2023-6111

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3609

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1014001
• 1.27.3-gke.1001002
• 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.26.5-gke.1021001
• 1.27.3-gke.1001002

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3609

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3609

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3609

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3609

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3389

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1014001
• 1.27.3-gke.1001002
• 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.10-gke.1027001
• 1.26.5-gke.1014001
• 1.27.3-gke.1001002
• 1.28.1-gke.1002003

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3389

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3389

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3389

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3389

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3090

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.12-gke.900
• 1.26.5-gke.1014001
• 1.27.4-gke.400
• 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.12-gke.900
• 1.26.5-gke.1014001
• 1.27.4-gke.900
• 1.28.1-gke.1050000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3090

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3090

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3090

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3090

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3390

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.27.4-gke.400
• 1.28.0-gke.100

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.14-gke.1027001
• 1.25.12-gke.900
• 1.26.5-gke.1014001
• 1.27.4-gke.900
• 1.28.1-gke.1050000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3390

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3390

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3390

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3390

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Cloud Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster. The issues with Fluent Bit and Cloud Service Mesh have been mitigated and fixes are now available. These vulnerabilities are not exploitable on their own in GKE and require an initial compromise. We are not aware of any instances of exploitation of these vulnerabilities.

These issues were reported through our Vulnerability Reward Program.

What should I do?

The following versions of GKE have been updated with code to fix these vulnerabilities in Fluent Bit and for users of managed Cloud Service Mesh. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions or later:

• 1.25.16-gke.1020000
• 1.26.10-gke.1235000
• 1.27.7-gke.1293000
• 1.28.4-gke.1083000

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your specific release channel

If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):

• 1.17.8-asm.8
• 1.18.6-asm.2
• 1.19.5-asm.4

What vulnerabilities are being addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to compromise the Fluent Bit logging container. We are not aware of any existing vulnerabilities in Fluent Bit that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future

GKE uses Fluent Bit to process logs for workloads running on clusters. Fluent Bit on GKE was also configured to collect logs for Cloud Run workloads. The volume mount configured to collect those logs gave Fluent Bit access to Kubernetes service account tokens for other Pods running on the node. The researcher used this access to discover a highly privileged service account token for clusters that have Cloud Service Mesh enabled.

Cloud Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges

We have removed Fluent Bit's access to the service account tokens and have redesigned the functionality of Cloud Service Mesh to remove excess privileges.

Only GKE on VMware clusters using Cloud Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):

• 1.17.8-asm.8
• 1.18.6-asm.2
• 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Cloud Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Cloud Service Mesh to remove excessive privileges.

Only GKE on AWS clusters using Cloud Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):

• 1.17.8-asm.8
• 1.18.6-asm.2
• 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Cloud Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Cloud Service Mesh to remove excessive privileges.

Only GKE on Azure clusters using Cloud Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):

• 1.17.8-asm.8
• 1.18.6-asm.2
• 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Cloud Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Cloud Service Mesh to remove excessive privileges.

Only GKE on Bare Metal clusters using Cloud Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):

• 1.17.8-asm.8
• 1.18.6-asm.2
• 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Anthos Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Cloud Service Mesh to remove excessive privileges.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5717

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2024-01-22 Update: The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.17-gke.2472000
• 1.25.16-gke.1268000
• 1.26.12-gke.1111000
• 1.27.9-gke.1092000
• 1.28.5-gke.1217000
• 1.29.0-gke.138100

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.24.17-gke.2113000
• 1.25.14-gke.1421000
• 1.25.15-gke.1083000
• 1.26.10-gke.1073000
• 1.27.7-gke.1088000
• 1.28.3-gke.1203000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5717

What should I do?

2024-03-04 Update: The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later:

• 1.28.200
• 1.16.5
• 1.15.8

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5717

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5717

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5717

What should I do?

There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5197

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.25.13-gke.1002003
• 1.26.9-gke.1514000
• 1.27.6-gke.1513000
• 1.28.2-gke.1164000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.24.16-gke.1005001
• 1.25.13-gke.1002003
• 1.26.9-gke.1548000
• 1.27.7-gke.1039000
• 1.28.3-gke.1061000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5197

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5197

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5197

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-5197

What should I do?

There is no action required. GKE on Bare Metal aren't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4147

GKE Standard clusters are impacted. GKE Autopilot clusters aren't impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2023-11-15 Update: You only need to upgrade to one of the patched versions that are listed in this bulletin if you use that minor version in your nodes. For example, if you use GKE version 1.27, you should upgrade to the corresponding patched version. However, if you use GKE version 1.24, you don't need to upgrade to a patched version.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.27.5-gke.200
• 1.28.2-gke.1157000

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.25.14-gke.1421000
• 1.26.9-gke.1437000
• 1.27.6-gke.1248000
• 1.28.2-gke.1157000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patched version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4147

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4147

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4147

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4147

What should I do?

There is no action required. GKE on Bare Metal aren't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4004

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-12-05 Update: Some GKE versions were previously missing. The following is an updated list of GKE versions that you can update your Container-Optimized OS to:

• 1.24.17-gke.200 or later
• 1.25.13-gke.200 or later
• 1.26.8-gke.200 or later
• 1.27.4-gke.2300 or later
• 1.28.1-gke.1257000 or later

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.27.4-gke.2300
• 1.28.1-gke.1257000

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.24.14-gke.1027001
• 1.25.13-gke.700
• 1.26.8-gke.700
• 1.27.5-gke.700
• 1.28.1-gke.1050000

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4004

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4004

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4004

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4004

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4921

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.24.14-gke.1027001
• 1.25.14-gke.1351000
• 1.26.9-gke.1345000
• 1.27.6-gke.1389000

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.24.17-gke.2186000
• 1.25.15-gke.1016000
• 1.26.9-gke.1548000
• 1.27.6-gke.1551000
• 1.28.2-gke.1256000

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4921

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4921

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4921

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4921

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.24.14-gke.1027001
• 1.25.14-gke.1351000
• 1.26.9-gke.1345000
• 1.27.5-gke.1647000

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.24.17-gke.2186000
• 1.25.15-gke.1016000
• 1.26.9-gke.1548000
• 1.27.6-gke.1551000
• 1.28.2-gke.1256000

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.24.14-gke.1027001
• 1.25.14-gke.1351000
• 1.26.9-gke.1345000
• 1.27.6-gke.1389000

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.24.17-gke.2186000
• 1.25.15-gke.1016000
• 1.26.9-gke.1548000
• 1.27.6-gke.1551000
• 1.28.2-gke.1256000

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4623

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4015

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.27.5-gke.1647000

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.24.14-gke.1027001
• 1.25.13-gke.700
• 1.26.8-gke.700
• 1.27.5-gke.700
• 1.28.1-gke.1050000

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4015

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4015

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4015

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4015

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4206
• CVE-2023-4207
• CVE-2023-4208
• CVE-2023-4128

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Autopilot clusters are impacted.

Clusters using GKE Sandbox are not impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.24.14-gke.1027001
• 1.25.13-gke.1008000
• 1.26.8-gke.1647000
• 1.27.5-gke.200

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.24.14-gke.1027001
• 1.25.13-gke.1706000
• 1.26.8-gke.1647000
• 1.27.5-gke.1648000
• 1.28.1-gke.1050000

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4206
• CVE-2023-4207
• CVE-2023-4208
• CVE-2023-4128

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4206
• CVE-2023-4207
• CVE-2023-4208
• CVE-2023-4128

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4206
• CVE-2023-4207
• CVE-2023-4208
• CVE-2023-4128

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-4206
• CVE-2023-4207
• CVE-2023-4208
• CVE-2023-4128

What should I do?

There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3777

2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN. GKE Sandbox workloads are also not impacted.

Autopilot clusters are impacted.

Clusters that use GKE Sandbox are impacted.

What should I do?

2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted.

Upgrade your Container-Optimized OS node pools to one of the following versions or later:

• 1.24.16-gke.2200
• 1.25.12-gke.2200
• 1.26.7-gke.2200
• 1.27.4-gke.2300

Upgrade your Ubuntu node pools to one of the following versions or later:

• 1.24.17-gke.700
• 1.25.13-gke.700
• 1.26.8-gke.700
• 1.27.5-gke.700
• 1.28.0-gke.100

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3777

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3777

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3777

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

• CVE-2023-3777

What should I do?

There is no action required. GKE on Bare Metal is not affected as it does not bundle an operating system in its distribution.

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. GKE clusters with authorized networks configured are protected by limiting network access, but all other clusters are affected.

What should I do?

2023-11-09 Update: We have released new versions of GKE that include the Go and Kubernetes security patches, which you can update your clusters to now. In the coming weeks we will release additional changes to the GKE control plane to further mitigate this issue.

The following GKE versions have been updated with patches for CVE-2023-44487 and CVE-2023-39325:

• 1.24.17-gke.2155000
• 1.25.14-gke.1474000
• 1.26.10-gke.1024000
• 1.27.7-gke.1038000
• 1.28.3-gke.1090000

We recommend that you apply the following mitigation as soon as possible and upgrade to the latest patched version when available.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane, and also make the patches visible within GKE GKE security posture when available for your cluster. To receive a Pub/Sub notification when a patch is available for your channel, enable cluster notifications.

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

Mitigate by configuring authorized networks for control plane access:

You can add authorized networks for existing clusters. To learn more see, authorized network for existing clusters.

In addition to the authorized networks you add, there are preset IP addresses that can access the GKE control plane. To learn more about these addresses, see Access to control plane endpoints. The following items summarize the cluster isolation:

• Private clusters with --master-authorized-networks and PSC-based clusters with --master-authorized-networks and --no-enable-google-cloud configured are the most isolated.
• Legacy public clusters with --master-authorized-networks and PSC-based clusters with --master-authorized-networks and --enable-google-cloud (default) configured are additionally accessible by the following:
  • Public IP addresses of all Compute Engine VMs in Google Cloud
  • Google Cloud platform IP addresses

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on GKE control plane nodes.

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. GKE on VMware creates Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability.

What should I do?

2024-02-14 Update: The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following patch versions or later:

• 1.28.100
• 1.16.6
• 1.15.8

If you have configured your GKE on VMware Kubernetes clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access.

We recommend that you upgrade to the latest patch version, when available, as soon as possible.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes.

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. GKE on AWS creates private Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability.

What should I do?

2024-03-20 Update: The following GKE on AWS versions have been updated with patches for CVE-2023-44487:

• 1.26.10-gke.600
• 1.27.7-gke.600
• 1.28.3-gke.700

If you have configured your GKE on AWS to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access.

We recommend that you upgrade to the latest patch version, when available, as soon as possible.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes.

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. GKE on Azure creates private Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability.

What should I do?

2024-03-20 Update: The following GKE on Azure versions have been updated with patches for CVE-2023-44487:

• 1.26.10-gke.600
• 1.27.7-gke.600
• 1.28.3-gke.700

If you have configured your GKE on Azure clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access.

We recommend that you upgrade to the latest patch version, when available, as soon as possible.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes.

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. Anthos on Bare Metal creates Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability.

What should I do?

If you have configured your Anthos on Bare Metal Kubernetes clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access. To learn more, see the GKE on Bare Metal security overview.

We recommend that you upgrade to the latest patch version, when available, as soon as possible.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes.

Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy.

GKE clusters are only affected if they include Windows nodes.

What should I do?

The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:

• 1.24.17-gke.200
• 1.25.13-gke.200
• 1.26.8-gke.200
• 1.27.5-gke.200
• 1.28.1-gke.200

The GKE control plane will be updated the week of 2023-09-04 to update the csi-proxy to version 1.1.3. If you update your nodes prior to the control plane update, you will need to update your nodes again after the update to take advantage of the new proxy. You can update the nodes again, even without changing the node version, by running the gcloud container clusters upgrade command and passing the --cluster-version flag with the same GKE version that the node pool is already running. You must use the gcloud CLI for this workaround. Note that this will cause an update regardless of maintenance windows.

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your specific release channel.

What vulnerabilities are addressed by this patch?

With CVE-2023-3676, a malicious actor could craft a Pod spec with host path strings that contain PowerShell commands. Kubelet lacks input sanitization and passes this crafted path string to the command executor as an argument where it would execute parts of the string as separate commands. These commands would run with the same administrative privileges as Kubelet has.

With CVE-2023-3955, Kubelet grants users who can create Pods the ability to execute code at the same permission level as the Kubelet agent, privileged permissions.

With CVE-2023-3893, a similar lack of input sanitation lets a user who can create Pods on Windows nodes running kubernetes-csi-proxy to escalate to admin privileges on those nodes.

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded PowerShell commands are a strong indication of exploitation. ConfigMaps and Secrets that contain embedded PowerShell commands and are mounted into Pods are also a strong indication of exploitation.

Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy.

Clusters are only affected if they include Windows nodes.

What should I do?

What vulnerabilities are addressed by this patch?

With CVE-2023-3676, a malicious actor could craft a Pod spec with host path strings that contain PowerShell commands. Kubelet lacks input sanitization and passes this crafted path string to the command executor as an argument where it would execute parts of the string as separate commands. These commands would run with the same administrative privileges as Kubelet has.

With CVE-2023-3955, Kubelet grants users who can create Pods the ability to execute code at the same permission level as the Kubelet agent, privileged permissions.

With CVE-2023-3893, a similar lack of input sanitation lets a user who can create Pods on Windows nodes running kubernetes-csi-proxy to escalate to admin privileges on those nodes.

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded PowerShell commands are a strong indication of exploitation. ConfigMaps and Secrets that contain embedded PowerShell commands and are mounted into Pods are also a strong indication of exploitation.

Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy.

What should I do?

GKE on AWS is not affected by these CVEs. No action is required.

Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy.

What should I do?

GKE on Azure is not affected by these CVEs. No action is required.

Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy.

What should I do?

GKE on Bare Metal is not affected by these CVEs. No action is required.

A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE Autopilot clusters are affected as GKE Autopilot nodes always use Container-Optimized OS node images. GKE Standard clusters with versions 1.25 or later that are running Container-Optimized OS node images are affected.

GKE clusters are not affected if they are running only Ubuntu node images, or running versions before 1.25, or using GKE Sandbox.

What should I do?

The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:

• 1.25.9-gke.1400
• 1.26.4-gke.1500
• 1.27.1-gke.2400

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

What vulnerabilities are being addressed?

With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.

A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on VMware clusters are affected.

What should I do?

What vulnerabilities are being addressed?

With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.

A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on AWS clusters are affected.

What should I do?

What vulnerabilities are addressed by this patch?

With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.

A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on Azure clusters are affected.

What should I do?

What vulnerabilities are addressed by this patch?

With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.

A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node.

Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE.

What should I do?

No action is required.

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE clusters, including Autopilot clusters, are affected.

GKE clusters using GKE Sandbox are not affected.

What should I do?

2023-07-11 Update: Ubuntu patch versions are available.

The following GKE versions have been updated to include the latest Ubuntu versions that patch CVE-2023-31436:

• 1.23.17-gke.8200
• 1.24.14-gke.2600
• 1.25.10-gke.2700
• 1.26.5-gke.2700
• 1.27.2-gke.2700

The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:

• 1.22.17-gke.11400
• 1.23.17-gke.6800
• 1.24.14-gke.1200
• 1.25.10-gke.1200
• 1.26.5-gke.1200
• 1.27.2-gke.1200

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

What vulnerabilities are being addressed?

With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel's traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on VMware clusters are affected.

What should I do?

What vulnerabilities are being addressed?

With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel's traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on AWS clusters are affected.

What should I do?

What vulnerabilities are addressed by this patch?

With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel's traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on Azure clusters are affected.

What should I do?

What vulnerabilities are addressed by this patch?

With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel's traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node.

Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE.

What should I do?

No action is required.

A number of vulnerabilities have been discovered in Envoy, which is used in Cloud Service Mesh (ASM). These were reported separately as GCP-2023-002.

GKE does not ship with ASM and is not affected by these vulnerabilities.

What should I do?

If you have separately installed ASM for your GKE clusters, please see GCP-2023-002.

A number of vulnerabilities (CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487), have been discovered in Envoy, which is used in Cloud Service Mesh in GKE on VMware, that allows a malicious attacker to cause a denial of service or crash Envoy. These were reported separately as GCP-2023-002, but we want to ensure that GKE Enterprise customers update their versions that include ASM.

What should I do?

The following versions of GKE on VMware have been updated with code to fix this vulnerability. We recommend that you upgrade your admin and user clusters to one of the following GKE on VMware versions:

• 1.13.8
• 1.14.5
• 1.15.1

What vulnerabilities are addressed by this patch?

CVE-2023-27496: If Envoy is running with the OAuth filter enabled exposed, a malicious actor could construct a request which would cause denial of service by crashing Envoy.

CVE-2023-27488: Attackers can use this vulnerability to bypass auth checks when ext_authz is used.

CVE-2023-27493: Envoy configuration must also include an option to add request headers that were generated using inputs from the request, such as the peer certificate SAN.

CVE-2023-27492: Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes.

CVE-2023-27491: Attackers can send specifically crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on HTTP/1 upstream service.

CVE-2023-27487: The header x-envoy-original-path should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client.

A number of vulnerabilities (CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487), have been discovered in Envoy, which is used in Cloud Service Mesh. These were reported separately as GCP-2023-002.

GKE on AWS does not ship with ASM and is not affected.

What should I do?

No action is required.

A number of vulnerabilities (CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487), have been discovered in Envoy, which is used in Cloud Service Mesh. These were reported separately as GCP-2023-002.

GKE on Azure does not ship with ASM and is not affected.

What should I do?

No action is required.

A number of vulnerabilities (CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487), have been discovered in Envoy, which is used in Cloud Service Mesh in GKE on Bare Metal, that allows a malicious attacker to cause a denial of service or crash Envoy. These were reported separately as GCP-2023-002, but we want to ensure that GKE Enterprise customers update their versions that include ASM.

What should I do?

The following versions of GKE on Bare Metal have been updated with code to fix this vulnerability. We recommend that you upgrade your admin and user clusters to one of the following GKE on Bare Metal versions:

• 1.13.9
• 1.14.6
• 1.15.2

What vulnerabilities are addressed by this patch?

CVE-2023-27496: If Envoy is running with the OAuth filter enabled exposed, a malicious actor could construct a request which would cause denial of service by crashing Envoy.

CVE-2023-27488: Attackers can use this vulnerability to bypass auth checks when ext_authz is used.

CVE-2023-27493: Envoy configuration must also include an option to add request headers that were generated using inputs from the request, such as the peer certificate SAN.

CVE-2023-27492: Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes.

CVE-2023-27491: Attackers can send specifically crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on HTTP/1 upstream service.

CVE-2023-27487: The header x-envoy-original-path should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client.

A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node. GKE clusters, including Autopilot clusters, are affected.

GKE clusters using GKE Sandbox are not affected.

What should I do?

The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:

• 1.25.7-gke.1200
• 1.26.2-gke.1200

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

What vulnerabilities are being addressed?

In CVE-2023-0468, a use-after-free flaw was found in io_uring/poll.c in io_poll_check_events in the io_uring subcomponent in the Linux Kernel. This flaw may cause a NULL pointer dereference, and potentially a system crash leading to a denial of service.

A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node.

GKE on VMware uses version 5.4 of the Linux Kernel and is not affected by this CVE.

What should I do?

• No action is needed

A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node.

GKE on AWS is not affected by this CVE.

What should I do?

• No action is needed

A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node.

GKE on Azure is not affected by this CVE.

What should I do?

• No action is needed

A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node.

Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE.

What should I do?

• No action is needed

Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728).

GKE does not use ImagePolicyWebhook and is not affected by CVE-2023-2727.

What should I do?

The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:

• 1.27.2-gke.1200
• 1.26.5-gke.1200
• 1.25.10-gke.1200
• 1.24.14-gke.1200
• 1.23.17-gke.6800

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your specific release channel.

What vulnerabilities are being addressed?

With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions.

In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:

• The ServiceAccount admission plugin is used.
• The kubernetes.io/enforce-mountable-secrets annotation is used by a service account. This annotation is not added by default.
• Pods are using ephemeral containers.

Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728) Anthos on VMware does not use ImagePolicyWebhook and is not affected by CVE-2023-2727.

All versions of Anthos on VMware are potentially vulnerable to CVE-2023-2728.

What should I do?

2023-08-11 Update: The following versions of GKE on VMware have been updated with code to fix this vulnerability. Upgrade your admin and user clusters to one of the following GKE on VMware versions:

• 1.13.10
• 1.14.6
• 1.15.3

What vulnerabilities are being addressed?

With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions.

In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:

• The ServiceAccount admission plugin is used.
• The kubernetes.io/enforce-mountable-secrets annotation is used by a service account. This annotation is not added by default.
• Pods are using ephemeral containers.

Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728)
Anthos on AWS does not use ImagePolicyWebhook and is not affected by CVE-2023-2727.
All versions of Anthos on AWS are potentially vulnerable to CVE-2023-2728.

What should I do?

2023-08-11 Update: The following version of GKE on AWS has been updated with code to fix this vulnerability. Upgrade your nodes to the following GKE on AWS version:

• 1.15.2

What vulnerabilities are being addressed?

With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions.

In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:

• The ServiceAccount admission plugin is used.
• The kubernetes.io/enforce-mountable-secrets annotation is used by a service account. This annotation is not added by default.
• Pods are using ephemeral containers.

Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728)
Anthos on Azure does not use ImagePolicyWebhook and is not affected by CVE-2023-2727.
All versions of Anthos on Azure are potentially vulnerable to CVE-2023-2728.

What should I do?

2023-08-11 Update: The following version of GKE on Azure has been updated with code to fix this vulnerability. Upgrade your nodes to the following GKE on Azure version:

• 1.15.2

What vulnerabilities are being addressed?

With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions.

In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:

• The ServiceAccount admission plugin is used.
• The kubernetes.io/enforce-mountable-secrets annotation is used by a service account. This annotation is not added by default.
• Pods are using ephemeral containers.

Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728)
Anthos on Bare Metal does not use ImagePolicyWebhook and is not affected by CVE-2023-2727.
All versions of Anthos on Bare Metal are potentially vulnerable to CVE-2023-2728.

What should I do?

2023-08-11 Update: The following versions of Google Distributed Cloud Virtual for Bare Metal have been updated with code to fix this vulnerability. Upgrade your nodes to one of the following Google Distributed Cloud Virtual for Bare Metal versions:

• 1.13.9
• 1.14.7
• 1.15.3

What vulnerabilities are being addressed?

With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions.

In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:

• The ServiceAccount admission plugin is used.
• The kubernetes.io/enforce-mountable-secrets annotation is used by a service account. This annotation is not added by default.
• Pods are using ephemeral containers.

A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.

GKE is not affected by this CVE.

What should I do?

While GKE is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.

GKE on VMware is not affected by this CVE.

What should I do?

While GKE on VMware is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.

GKE on AWS is not affected by this CVE.

What should I do?

While GKE on AWS is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.

GKE on Azure is not affected by this CVE

What should I do?

While GKE on Azure is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.

GKE on Bare Metal is not affected by this CVE.

What should I do?

While GKE on Bare Metal is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. GKE Standard and Autopilot clusters are affected.

Clusters using GKE Sandbox are not affected.

What should I do?

The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:

• 1.22.17-gke.11400
• 1.23.17-gke.5600
• 1.24.13-gke.2500
• 1.25.9-gke.2300
• 1.26.5-gke.1200

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

What vulnerabilities are addressed by this patch?

CVE-2023-1872 is a use-after-free vulnerability in the io_uring subsystem of the Linux kernel that can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock, which can lead to a use-after-free vulnerability due to a race condition with fixed files becoming unregistered.

A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node.

What should I do?

What vulnerabilities are addressed by this patch?

CVE-2023-1872 is a use-after-free vulnerability in the io_uring subsystem of the Linux kernel that can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock, which can lead to a use-after-free vulnerability due to a race condition with fixed files becoming unregistered.

A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node.

What should I do?

The following versions of GKE on AWS have been updated with code to fix these vulnerabilities:

What vulnerabilities are addressed by this patch?

CVE-2023-1872 is a use-after-free vulnerability in the io_uring subsystem of the Linux kernel that can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock, which can lead to a use-after-free vulnerability due to a race condition with fixed files becoming unregistered.