Security bulletins

The following describes all security bulletins related to Confidential VM.

GCP-2024-046

Published: 2024-08-05

Description Severity Notes

AMD has notified Google about 3 new (2 medium risk, 1 high risk) firmware vulnerabilities affecting SEV-SNP in AMD EPYC 3rd generation (Milan) and 4th generation (Genoa) CPUs.

Google has applied fixes to the affected assets, including Google Cloud, to ensure customers are protected. At this time, no evidence of exploitation has been found or reported to Google.

What should I do?

No customer action is required. Fixes have already been applied to the Google server fleet.

For more information, see AMD security advisory AMD-SN-3011.

Medium–High

CVE-2023-31355

CVE-2024-21978

CVE-2024-21980

GCP-2024-009

Published: 2024-02-13

Description Severity Notes

On February 13, 2024, AMD disclosed two vulnerabilities affecting SEV-SNP on EPYC CPUs based on third generation "Milan" and fourth generation "Genoa" Zen cores. The vulnerabilities allow privileged attackers to access stale data from guests or cause a loss of guest integrity.

Google has applied fixes to affected assets, including Google Cloud, to ensure customers are protected. At this time, no evidence of exploitation has been found or reported to Google.

What should I do?

No customer action is required. Fixes have already been applied to the Google server fleet for Google Cloud, including Compute Engine.

For more information, see AMD security advisory AMD-SN-3007.

Medium

CVE-2023-31346

CVE-2023-31347