Security Bulletins

Description

CVE-2016-5195 is a race condition in the way Linux kernel's memory subsystem handled breakage of the read only private mappings COW situation on write access.

An unprivileged local user could use this flaw to gain write access to otherwise read only memory mappings and thus increase their privileges on the system.

For more information see the Dirty COW FAQ.

Google Compute Engine impact

All Linux distributions and versions on Compute Engine are affected. Most instances will automatically download and install a newer kernel. However, a reboot is required to patch your running system.

New or re-created instances based on the following Google Compute Engine images have patched kernels installed already.

• centos-6-v20161026
• centos-7-v20161025
• coreos-alpha-1192-2-0-v20161021
• coreos-beta-1185-2-0-v20161021
• coreos-stable-1122-3-0-v20161021
• debian-8-jessie-v20161020
• rhel-6-v20161026
• rhel-7-v20161024
• sles-11-sp4-v20161021
• sles-12-sp1-v20161021
• ubuntu-1204-precise-v20161020
• ubuntu-1404-trusty-v20161020
• ubuntu-1604-xenial-v20161020
• ubuntu-1610-yakkety-v20161020

Description

CVE-2015-7547 is a vulnerability where the glibc DNS client side resolver makes software vulnerable to a stack-based buffer overflow when using the getaddrinfo() library function. An attacker can take advantage of software using the function to exploit this vulnerability with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.

For more details, see the Google Online Security Blog or the Common Vulnerabilities and Exposures (CVE) database.

Google Compute Engine impact

Update (2016-02-22):

You can now recreate your instances using the following CoreOS, SLES, and OpenSUSE images:

• coreos-alpha-962-0-0-v20160218
• coreos-beta-899-7-0-v20160218
• coreos-stable-835-13-0-v20160218
• opensuse-13-2-v20160222
• opensuse-leap-42-1-v20160222
• sles-11-sp4-v20160222
• sles-12-sp1-v20160222

Update (2016-02-17):

You can now perform an update on Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 15.10 instances by running the following commands:

1. user@my-instance:~$ sudo apt-get -y update
2. user@my-instance:~$ sudo apt-get -y dist-upgrade
3. user@my-instance:~$ sudo reboot

As an alternative to running the manual update commands, you can now recreate their instances with the following new images:

• backports-debian-7-wheezy-v20160216
• centos-6-v20160216
• centos-7-v20160216
• debian-7-wheezy-v20160216
• debian-8-jessie-v20160216
• rhel-6-v20160216
• rhel-7-v20160216
• ubuntu-1204-precise-v20160217a
• ubuntu-1404-trusty-v20160217a
• ubuntu-1510-wily-v20160217

We are not aware of any methods that can exploit this vulnerability through Compute Engine's DNS resolvers with the default glibc configuration. You should still patch your virtual machine instances as soon as possible, since, as with any new vulnerability, new exploit methods may be discovered over time. If you have enabled edns0 (disabled by default), you should disable it until your instances are patched.

Original bulletin:

Your Linux distribution might be vulnerable. Compute Engine customers will need to update the OS images of their instances to eliminate this vulnerability if they are running a Linux OS.

For instances running Debian, you can perform an update by running the following commands in your instance:

1. user@my-instance:~$ sudo apt-get -y update
2. user@my-instance:~$ sudo apt-get -y dist-upgrade
3. user@my-instance:~$ sudo reboot

We also recommend installing UnattendedUpgrades for your Debian instances.

For Red Hat Enterprise Linux instances:

• user@my-instance:~$ sudo yum -y upgrade
• user@my-instance:~$ sudo reboot

We will continue to update this bulletin as other operating system maintainers publish patches for this vulnerability and as Compute Engine releases updated OS images.

Description

CVE-2015-1427 is a vulnerability where the Groovy scripting engine in Elasticsearch before version 1.3.8 and any 1.4.x versions before 1.4.3, allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands.

For more details, see the National Vulnerability Database (NVD) or the Common Vulnerabilities and Exposures (CVE) database.

Google Compute Engine impact

If you are running Elasticsearch on your Compute Engine instances, you should upgrade your Elasticsearch version to 1.4.3 or higher. If you have already upgraded your Elasticsearch software, you are protected from this vulnerability.

If you have not upgraded Elasticsearch 1.4.3 or higher, you can perform a rolling upgrade.

If you deployed Elasticsearch using Click-to-deploy in the Google Cloud Platform Console, you can delete the deployment to remove instances running Elasticsearch.

The Google Cloud Platform team is working on a fix in order to deploy an updated version of Elasticsearch. However, the fix is not yet available for the Click-to-deploy feature in the Cloud Platform Console.

Description

CVE-2015-0235 (Ghost) is a vulnerability in the glibc library.

App Engine, Cloud Storage, BigQuery, and CloudSQL customers do not need to take any actions. Google’s servers have been updated and are protected from this vulnerability.

Customers of Compute Engine may need to update their OS images.

Google Compute Engine impact

Your Linux distribution may be vulnerable. Compute Engine customers will need to update the OS images of their instances to eliminate this vulnerability if they are running Debian 7, Debian 7 backports, Ubuntu 12.04 LTS, Red Hat Enterprise Linux, CentOS, or SUSE Linux Enterprise Server 11 SP3.

This vulnerability does not affect Ubuntu 14.04 LTS, Ubuntu 14.10, or SUSE Linux Enterprise Server 12.

We recommend that you upgrade your Linux distributions. For instances running Debian 7, Debian 7 backports, or Ubuntu 12.04 LTS, you can perform an update by running the following commands in your instance:

1. user@my-instance:~$ sudo apt-get update
2. user@my-instance:~$ sudo apt-get -y upgrade
3. user@my-instance:~$ sudo reboot

For Red Hat Enterprise Linux or CentOS instances:

1. user@my-instance:~$ sudo yum -y upgrade
2. user@my-instance:~$ sudo reboot

For SUSE Linux Enterprise Server 11 SP3 instances:

1. user@my-instance:~$ sudo zypper --non-interactive up
2. user@my-instance:~$ sudo reboot

As an alternative to running the manual update commands above, users can now recreate their instances with the following new images:

• debian-7-wheezy-v20150127
• backports-debian-7-wheezy-v20150127
• centos-6-v20150127
• centos-7-v20150127
• rhel-6-v20150127
• rhel-7-v20150127
• sles-11-sp3-v20150127
• ubuntu-1204-precise-v20150127

Google Managed VM impact

Managed VM users using gcloud preview app deploy need to update their base docker containers with gcloud preview app setup-managed-vms and redeploy each of their running apps using gcloud preview app deploy. Users that deploy with appcfg do not need to do anything and will be upgraded automatically.

Description

CVE-2014-3566 (aka POODLE) is a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker. For details, see our blog post on the vulnerability.

App Engine, Cloud Storage, BigQuery, and CloudSQL customers do not need to take any actions. Google’s servers have been updated and are protected from this vulnerability. Customers of Compute Engine need to update their OS images.

Google Compute Engine impact

Updated (2014-10-17):

You may be vulnerable if you are using SSLv3. Compute Engine customers will need to update the OS images of their instances to eliminate this vulnerability.

We recommend that you upgrade your Linux distributions. For instances running Debian, you can perform an update by running the following commands in your instance:

user@my-instance:~$ sudo apt-get update
user@my-instance:~$ sudo apt-get -y upgrade
user@my-instance:~$ sudo reboot

For CentOS instances:

user@my-instance:~$ sudo yum -y upgrade
user@my-instance:~$ sudo reboot

As an alternative to running the manual update commands above, users can now recreate their instances with the following new images to recreate your instances:

• centos-6-v20141016
• centos-7-v20141016
• debian-7-wheezy-v20141017
• backports-debian-7-wheezy-v20141017

We will update the bulletin for RHEL and SLES images once we have the images. In the meantime, RHEL users can consult Red Hat directly for more information.

Original bulletin:

Compute Engine customers will need to update the OS images of their instances to eliminate this vulnerability. We will update this security bulletin with instructions once new OS images are available.

Description

There is a bug in bash (CVE-2014-6271) that allows remote code execution based on parsing of any attacker-controlled environment variables. The most likely vector of exploitation is via malicious HTTP requests made to CGI scripts exposed on a web server. For more information, see the bug description.

The bash bugs have been mitigated for Google Cloud Platform Products except for Compute Engine guest OS images dated before 20140926. Please see below for steps to mitigate the bugs for your Compute Engine images.

Google Compute Engine impact

This bug may affect virtually all websites that use CGI scripts. In addition, it will likely affect web sites that rely on PHP, Perl, Python, SSI, Java, C++, and similar servlets that will ever invoke shell commands via calls such as popen, system, shell_exec, or similar APIs. It may also affect systems that attempt to allow controlled login access to restricted users via mechanisms such as SSH command limitation or the bash restricted shell.

Update (2014-09-29):

As an alternative to running the manual update commands below, users can now recreate their instances with images that mitigate additional vulnerabilities related to the bash security bug, including CVE-2014-7169, CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, and CVE-2014-7187. Use the following new images to recreate your instances:

• centos-6-v20140926
• centos-7-v20140926
• debian-7-wheezy-v20140926
• backports-debian-7-wheezy-v20140926
• rhel-6-v20140926

Update (2014-09-25):

Users can now choose to recreate their instances instead of performing a manual update. To recreate your instances, use the following new images which contains fixes to this security bug:

• backports-debian-7-wheezy-v20140924
• debian-7-wheezy-v20140924
• rhel-6-v20140924
• centos-6-v20140924
• centos-7-v20140924

For RHEL and SUSE images, you can also manually perform updates by running the following commands on your instances:

# RHEL instances
user@my-instance:~$ sudo yum -y upgrade

# SUSE instances
user@my-instance:~$ sudo zypper --non-interactive up

Original bulletin:

We recommend that you upgrade your Linux distributions. For instances running Debian, you can perform an update by running the following commands in your instance:

user@my-instance:~$ sudo apt-get update
user@my-instance:~$ sudo apt-get -y upgrade

For CentOS instances:

user@my-instance:~$ sudo yum -y upgrade

For detailed information, review the announcement for the respective Linux distribution:

• Original patches: http://ftp.gnu.org/gnu/bash/ (see the last entry in *-patches for the appropriate version)
• Debian: [SECURITY] [DSA 3032-1] bash security update
• RHEL:
  • RHSA-2014:1293-01
  • RHSA-2014:1294-01
• CentOS 5: [CentOS-announce] CESA-2014:1293
• CentOS 6: [CentOS-announce] CESA-2014:1293
• CentOS 7: [CentOS-announce] CESA-2014:1293

Description

Elasticsearch Logstash is vulnerable to OS command injection that can allow unauthorized modification and disclosure of data. An attacker can send crafted events to any of Logstash’s data sources, allowing the attacker to execute commands with the permissions of the Logstash process.

Google Compute Engine impact

This vulnerability affects all Compute Engine instances running versions of Elasticsearch Logstash before 1.4.2 with zabbix or nagios_nsca outputs enabled. To prevent attack, you can either:

• Upgrade to Logstash 1.4.2
• Apply the patch for versions 1.3.x
• Disable the zabbix and nagios_nsca outputs.

Read more on the Logstash blog.

Elasticsearch also recommends using a firewall to prevent remote access by untrusted IPs.

Description

We would like to take a moment to respond to any possible concerns that customers have about the security of Docker containers when running on Google Cloud Platform. This includes customers using our Google App Engine extensions that support Docker Containers, container optimized virtual machines, or the Open Source Kubernetes scheduler.

Docker has done a great job of responding to the issue and you can see their blog response here. Note that, as they say in their response, the issue revealed today only applies to Docker 0.11, an older, pre-production, version.

While the world is thinking about container security, we would like to point out that in Google Cloud Platform, Linux application container based solutions (specifically Docker containers) run in full virtual machines (Google Compute Engine). While we support the efforts of the Docker community to harden the Linux application container stack, we recognize that the technology is new, and the surface area large. It is our belief that, for now, full hypervisors (virtual machines) provide a more compact and defensible surface area. Virtual machines were designed from the beginning to isolate malicious workloads and to minimize the likelihood and impact of a code bug.

Our customers can rest assured that a full hypervisor boundary exists between them and any third party, potentially malicious code. Should we reach a point where we consider the Linux application container stack robust enough to support multi-tenant workloads, we will let the community know. For now, the Linux application container does not replace the virtual machine. It is a way to get a lot more out of it.

Description

OpenSSL has an issue where the ChangeCipherSpec messages are not correctly bound into the handshake state machine. This allows them to be injected early into the handshake. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.

This issue is identified as CVE-2014-0224. The OpenSSL team has fixed the issue and alerted the OpenSSL community to update OpenSSL.

Google Compute Engine impact

This vulnerability affects all Compute Engine instances which use OpenSSL, including Debian, CentOS, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server. You can update your instances by recreating them with new images, or by manually updating packages on your instances.

Update (2014-06-09): To update your instances running SUSE Linux Enterprise Server with new images, recreate your instances using the following image versions or higher:

• sles-11-sp3-v20140609

Original post:

To update Debian and CentOS instances using new images, recreate your instances using any of the following image versions or higher:

• debian-7-wheezy-v20140605
• backports-debian-7-wheezy-v20140605
• centos-6-v20140605
• rhel-6-v20140605

To manually update OpenSSL on your instances, run the following commands to update the appropriate packages. For instances running CentOS and RHEL, you can update OpenSSL by running these commands in your instance:

user@my-instance:~$ sudo yum -y update
user@my-instance:~$ sudo reboot

For instances running Debian, you can update OpenSSL by running the following commands in your instance:

user@my-instance:~$ sudo apt-get update
user@my-instance:~$ sudo apt-get -y upgrade
user@my-instance:~$ sudo reboot

For instances running SUSE Linux Enterprise Server, you can ensure OpenSSL is up to date by running these commands in the instance:

user@my-instance:~$ sudo zypper --non-interactive up
user@my-instance:~$ sudo reboot

Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

Google Compute Engine impact

This vulnerability affects all Compute Engine Debian, RHEL, and CentOS instances that do not have the most updated version of OpenSSL. You can update your instances by recreating them with new images, or by manually updating packages on your instances.

To update your instances using new images, recreate your instances using any of the following image versions or higher:

• debian-7-wheezy-v20140408
• backports-debian-7-wheezy-v20140408
• centos-6-v20140408
• rhel-6-v20140408

To manually update OpenSSL on your instances, run the following commands to update the appropriate packages. For instances running CentOS and RHEL, you can ensure OpenSSL is up to date by running these commands in the instance:

user@my-instance:~$ sudo yum update
user@my-instance:~$ sudo reboot

For instances running Debian, you can update OpenSSL by running the following commands in your instance:

user@my-instance:~$ sudo apt-get update
user@my-instance:~$ sudo apt-get upgrade
user@my-instance:~$ sudo reboot

Instances running SUSE Linux are not affected.

Update on April 14, 2014: In light of new research on extracting keys using the Heartbleed bug, Compute Engine is recommending that Compute Engine customers create new keys for any affected SSL services.

Description

Note: This vulnerability is only applicable for kernels, which have been deprecated and removed since API version v1.

Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message.

Google Compute Engine impact

This vulnerability affects all Google Compute Engine kernels earlier than gcg-3.3.8-201305291443. In response, Google Compute Engine has deprecated all earlier kernels and recommends that users update their instances and images to use Google Compute Engine kernel gce-v20130603. gce-v20130603 contains kernel gcg-3.3.8-201305291443, which has the patch for this vulnerability.

To find out what kernel version your instance is using:

1. ssh into your instance
2. Run uname -r

Description

Note: This vulnerability is only applicable for kernels, which have been deprecated and removed since API version v1.

Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name.

Google Compute Engine Impact

This vulnerability affects all Google Compute Engine kernels earlier than gcg-3.3.8-201305291443. In response, Google Compute Engine has deprecated all earlier kernels and recommends that users update their instances and images to use Google Compute Engine kernel gce-v20130603. gce-v20130603 contains kernel gcg-3.3.8-201305291443, which has the patch for this vulnerability.

To find out what kernel version your instance is using:

1. ssh into your instance
2. Run uname -r

Description

Note: This vulnerability is only applicable for kernels, which have been deprecated and removed since API version v1.

The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.

Google Compute Engine impact

This vulnerability affects all Google Compute Engine kernels earlier than gcg-3.3.8-201305211623. In response, Google Compute Engine has deprecated all earlier kernels and recommends that users update their instances and images to use Google Compute Engine kernel gce-v20130521. gce-v20130521 contains kernel gcg-3.3.8-201305211623, which has the patch for this vulnerability.

To find out what kernel version your instance is using:

1. ssh into your instance
2. Run uname -r

Description

Note: This vulnerability is only applicable for kernels, which have been deprecated and removed since API version v1.

Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application.

Google Compute Engine impact

This vulnerability affects Google Compute Engine kernels 2.6.x-gcg-<date>. In response, Google Compute Engine has deprecated 2.6.x kernels and recommends that users update their instances and images to use Google Compute Engine kernel gce-v20130225. gce-v20130225 contains kernel 3.3.8-gcg-201302081521, which has the patch for this vulnerability.

To find out what kernel version your instance is using:

1. ssh into your instance
2. Run uname -r