Security bulletins | Google Security Operations

This page provides all security bulletins related to Google Security Operations.

GCP-2023-028

Published: 2023-09-19

Updated: 2024-05-29

Description

Description	Severity	Notes
2024-05-29 Update: The new feeds no longer use the shared service account, but it remains active for existing feeds to avoid service disruptions. Changes to the source in older feeds are blocked to prevent misuse of the shared service account. Customers can continue using their old feeds normally, as long as they don't change the source. Customers can configure Google SecOps to ingest data from customer-owned Cloud Storage buckets using an ingestion feed. Until recently, Google SecOps provided a shared service account that customers used to grant permission to the bucket. An opportunity existed such that one customer's Google SecOps instance could be configured to ingest data from another customer's Cloud Storage bucket. After performing an impact analysis, we found no current or prior exploitation of this vulnerability. The vulnerability was present in all versions of Google SecOps prior to Sept 19, 2023. What should I do? As of Sept 19, 2023, Google SecOps has been updated to address this vulnerability. No customer action is required. What vulnerabilities are being addressed? Previously, Google SecOps provided a shared service account that customers used to grant permission to a bucket. Because different customers gave the same Google SecOps service account permission to their bucket, an exploitation vector existed that allowed one customer's feed to access a different customer's bucket when a feed was being created or modified. This exploitation vector required knowledge of the bucket URI. Now, during feed creation or modification, Google SecOps uses unique service accounts for each customer.	High

Severity

Notes

2024-05-29 Update: The new feeds no longer use the shared service account, but it remains active for existing feeds to avoid service disruptions. Changes to the source in older feeds are blocked to prevent misuse of the shared service account. Customers can continue using their old feeds normally, as long as they don't change the source.

Customers can configure Google SecOps to ingest data from customer-owned Cloud Storage buckets using an ingestion feed. Until recently, Google SecOps provided a shared service account that customers used to grant permission to the bucket. An opportunity existed such that one customer's Google SecOps instance could be configured to ingest data from another customer's Cloud Storage bucket. After performing an impact analysis, we found no current or prior exploitation of this vulnerability. The vulnerability was present in all versions of Google SecOps prior to Sept 19, 2023.

What should I do?

As of Sept 19, 2023, Google SecOps has been updated to address this vulnerability. No customer action is required.

What vulnerabilities are being addressed?

Previously, Google SecOps provided a shared service account that customers used to grant permission to a bucket. Because different customers gave the same Google SecOps service account permission to their bucket, an exploitation vector existed that allowed one customer's feed to access a different customer's bucket when a feed was being created or modified. This exploitation vector required knowledge of the bucket URI. Now, during feed creation or modification, Google SecOps uses unique service accounts for each customer.

High