Customers can configure Google Security Operations to ingest data from customer-owned Cloud Storage buckets using an ingestion feed. Until recently, Google Security Operations provided a shared service account that customers used to grant permission to the bucket. An opportunity existed such that one customer's Google Security Operations instance could be configured to ingest data from another customer's Cloud Storage bucket. After performing an impact analysis, we found no current or prior exploitation of this vulnerability. The vulnerability was present in all versions of Google Security Operations prior to Sept 19, 2023.

What should I do?

As of Sept 19, 2023, Google Security Operations has been updated to address this vulnerability. No customer action is required.

What vulnerabilities are being addressed?

Previously, Google Security Operations provided a shared service account that customers used to grant permission to a bucket. Because different customers gave the same Google Security Operations service account permission to their bucket, an exploitation vector existed that allowed one customer's feed to access a different customer's bucket when a feed was being created or modified. This exploitation vector required knowledge of the bucket URI. Now, during feed creation or modification, Google Security Operations uses unique service accounts for each customer.