Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
Description | Severity |
---|---|
CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes. GKE Standard clusters running Windows Server nodes and using an in-tree storage plugin might be affected. GKE Autopilot clusters and GKE node pools using GKE Sandbox are not affected because they do not support Windows Server nodes. What should I do?Determine if you have Windows Server nodes in use on your clusters: kubectl get nodes -l kubernetes.io/os=windows Check audit logs for evidence of exploitation. Kubernetes audit logs can be audited to determine if this vulnerability is being exploited. Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation. Update your GKE cluster and node pools to a patched version. The following versions of GKE have been updated to fix this vulnerability. Even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Windows Server node pools to one of the following GKE versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. What vulnerabilities are addressed by this patch?CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes. |
High |
Description | Severity |
---|---|
CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes. GKE on VMware clusters running Windows Server nodes and using an in-tree storage plugin might be affected. What should I do?Determine if you have Windows Server nodes in use on your clusters: kubectl get nodes -l kubernetes.io/os=windows Check audit logs for evidence of exploitation. Kubernetes audit logs can be audited to determine if this vulnerability is being exploited. Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation. Update your GKE on VMware cluster and node pools to a patched version. The following versions of GKE on VMware have been updated to fix this vulnerability. Even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Windows Server node pools to one of the following GKE on VMware versions or later:
What vulnerabilities are addressed by this patch?CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes. |
High |
Description | Severity |
---|---|
CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes. GKE on AWS clusters aren't affected. What should I do?No action required |
None |
Description | Severity |
---|---|
CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes. GKE on Azure clusters aren't affected. What should I do?No action required |
None |
Description | Severity |
---|---|
CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes. GKE on Bare Metal clusters aren't affected. What should I do?No action required |
None |
2024-03-06 Update: Added patch versions for GKE on VMware
2024-02-28 Update: Added patch versions for Ubuntu
2024-02-15 Update: Clarified that the 1.25 and 1.26 Ubuntu patch versions in the 2024-02-14 update might cause unhealthy nodes.
2024-02-14 Update: Added patch versions for Ubuntu
2024-02-06 Update: Added patch versions for Container-Optimized OS.
Updated: 2024-03-06
Description | Severity |
---|---|
A security vulnerability, CVE-2024-21626, has been discovered in GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?2024-02-28 Update: The following versions of GKE have been updated with code to fix this vulnerability in Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:
2024-02-15 Update: Due to an issue, the following Ubuntu patch versions from the 2024-02-14 update might cause your nodes to enter an unhealthy state. Don't upgrade to the following patch versions. We'll update this bulletin when newer patch versions for Ubuntu are available for 1.25 and 1.26.
If you already upgraded to one of these patch versions, manually downgrade your node pool to an earlier version in your release channel. 2024-02-14 Update: The following versions of GKE have been updated with code to fix this vulnerability in Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:
2024-02-06 Update: The following versions of GKE have been updated with code to fix this vulnerability in Container-Optimized OS. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Container-Optimized OS node pools to one of the following GKE versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. We're updating GKE with code to fix this vulnerability. We'll update this bulletin when patch versions are available. What vulnerabilities are addressed by this patch?
|
High |
Description | Severity |
---|---|
A security vulnerability, CVE-2024-21626, has been discovered in What should I do?2024-03-06 Update: The following versions of GKE on VMware have been updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later:
Patch versions and a severity assessment for GKE on VMware are in progress. We'll update this bulletin with that information when it's available. What vulnerabilities are addressed by this patch?
|
High |
Description | Severity |
---|---|
A security vulnerability, CVE-2024-21626, has been discovered in What should I do?Patch versions and a severity assessment for GKE on AWS are in progress. We'll update this bulletin with that information when it's available. What vulnerabilities are addressed by this patch?
|
High |
Description | Severity |
---|---|
A security vulnerability, CVE-2024-21626, has been discovered in What should I do?Patch versions and a severity assessment for GKE on Azure are in progress. We'll update this bulletin with that information when it's available. What vulnerabilities are addressed by this patch?
|
High |
Description | Severity |
---|---|
A security vulnerability, CVE-2024-21626, has been discovered in What should I do?Patch versions and a severity assessment for GKE on Bare Metal are in progress. We'll update this bulletin with that information when it's available. What vulnerabilities are addressed by this patch?
|
High |
2024-02-07 Update: Added patch versions for Ubuntu.
Updated: 2024-02-07
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?2024-02-07 Update: The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
Updated: 2024-01-26
Description | Severity |
---|---|
2024-01-26 Update: Security research that found a small number of GKE clusters with a customer-created misconfiguration involving the We have identified several clusters where users have granted Kubernetes privileges to the Recently, a security researcher reported findings of clusters with RBAC misconfigurations through our vulnerability reporting program. Google's approach to authentication is to make authenticating to Google Cloud and GKE as simple and secure as possible without adding complex configuration steps. Authentication just tells us who the user is; Authorization is where access is determined. So the With this in mind we've taken several steps to reduce the risk of users making authorization errors with the Kubernetes built-in users and groups, including To protect users from accidental authorization errors with these system users/groups, we have:
Clusters that apply authorized networks restrictions have a first layer of defense: they cannot be attacked directly from the Internet. But we still recommend removing these bindings for defense in depth and to guard against errors in network controls. We are investigating ways we can further protect against user RBAC misconfiguration with these system users/groups through prevention and detection. What should I do?To prevent any new bindings of Existing bindings should be reviewed following this guidance. |
Medium |
No updates at this time.
No updates at this time.
No updates at this time.
No updates at this time.
2024-02-20 Update: Added patch versions for GKE on VMware.
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Updated: 2024-02-20
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.
What should I do?2024-02-20 Update: The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later: 1.28.100 |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
Updated: 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
Description | Severity |
---|---|
An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster. The issues with Fluent Bit and Anthos Service Mesh have been mitigated and fixes are now available. These vulnerabilities are not exploitable on their own in GKE and require an initial compromise. We are not aware of any instances of exploitation of these vulnerabilities. These issues were reported through our Vulnerability Reward Program. What should I do?The following versions of GKE have been updated with code to fix these vulnerabilities in Fluent Bit and for users of managed Anthos Service Mesh. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions or later:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your specific release channel If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):
What vulnerabilities are being addressed by this patch? The vulnerabilities addressed by this bulletin require an attacker to compromise the Fluent Bit logging container. We are not aware of any existing vulnerabilities in Fluent Bit that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future GKE uses Fluent Bit to process logs for workloads running on clusters. Fluent Bit on GKE was also configured to collect logs for Cloud Run workloads. The volume mount configured to collect those logs gave Fluent Bit access to Kubernetes service account tokens for other Pods running on the node. The researcher used this access to discover a highly privileged service account token for clusters that have Anthos Service Mesh enabled. Anthos Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges We have removed Fluent Bit's access to the service account tokens and have redesigned the functionality of Anthos Service Mesh to remove excess privileges. |
Medium |
Description | Severity |
---|---|
Only GKE on VMware clusters using Anthos Service Mesh are affected. What should I do?If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):
What vulnerabilities are addressed by this patch?The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future. Anthos Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges. We have redesigned the functionality of Anthos Service Mesh to remove excessive privileges. |
Medium |
Description | Severity |
---|---|
Only GKE on AWS clusters using Anthos Service Mesh are affected. What should I do?If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):
What vulnerabilities are addressed by this patch?The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future. Anthos Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges. We have redesigned the functionality of Anthos Service Mesh to remove excessive privileges. |
Medium |
Description | Severity |
---|---|
Only GKE on Azure clusters using Anthos Service Mesh are affected. What should I do?If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):
What vulnerabilities are addressed by this patch?The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future. Anthos Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges. We have redesigned the functionality of Anthos Service Mesh to remove excessive privileges. |
Medium |
Description | Severity |
---|---|
Only GKE on Bare Metal clusters using Anthos Service Mesh are affected. What should I do?If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):
What vulnerabilities are addressed by this patch?The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future. Anthos Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges. We have redesigned the functionality of Anthos Service Mesh to remove excessive privileges. |
Medium |
2024-03-04 Update: Added GKE versions for GKE on VMware.
2024-01-22 Update: Added Ubuntu patch versions.
Updated: 2024-01-22
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?2024-01-22 Update: The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Updated: 2024-02-29
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?2024-03-04 Update: The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later:
|
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
Updated: 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal aren't affected as it does not bundle an operating system in its distribution. |
None |
2023-11-15 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patched version for GKE.
Updated: 2023-11-15
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
GKE Standard clusters are impacted. GKE Autopilot clusters aren't impacted. Clusters using GKE Sandbox aren't impacted. What should I do?2023-11-15 Update: You only need to upgrade to one of the patched versions that are listed in this bulletin if you use that minor version in your nodes. For example, if you use GKE version 1.27, you should upgrade to the corresponding patched version. However, if you use GKE version 1.24, you don't need to upgrade to a patched version. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patched version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal aren't affected as it does not bundle an operating system in its distribution. |
None |
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
2023-12-05 Update: Added additional GKE versions for Container-Optimized OS node pools.
2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.
Updated: 2023-11-21, 2023-12-05, 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow Autopilot clusters are impacted. Clusters using GKE Sandbox are not impacted. What should I do?2023-12-05 Update: Some GKE versions were previously missing. The following is an updated list of GKE versions that you can update your Container-Optimized OS to:
2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
|
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution. |
None |
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.
Updated: 2023-11-21, 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow Autopilot clusters are impacted. Clusters using GKE Sandbox are not impacted. What should I do?2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
|
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution. |
None |
2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.
2023-11-16 Update: The vulnerability associated with this security bulletin is CVE-2023-4622. CVE-2023-4623 was incorrectly listed as the vulnerability in a previous version of the security bulletin.
Updated: 2023-11-21, 2023-11-16
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
Autopilot clusters are impacted. Clusters using GKE Sandbox are not impacted. What should I do?2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
|
High |
Updated: 2023-11-16
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Updated: 2023-11-16
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Updated: 2023-11-16
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Updated: 2023-11-16
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution. |
None |
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.
Updated: 2023-11-21, 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow Autopilot clusters are impacted. Clusters using GKE Sandbox are not impacted. What should I do?2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
|
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution. |
None |
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.
Updated: 2023-11-21, 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow Autopilot clusters are impacted. Clusters using GKE Sandbox are not impacted. What should I do?2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
|
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution. |
None |
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.
Updated: 2023-11-21, 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow Autopilot clusters are impacted. Clusters using GKE Sandbox are not impacted. What should I do?2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
|
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution. |
High |
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted and GKE Sandbox workloads are not impacted.
2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.
Updated: 2023-11-21, 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot clusters are impacted, but this was incorrect. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow Autopilot clusters are impacted. Clusters that use GKE Sandbox are impacted. What should I do?2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
|
High |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal is not affected as it does not bundle an operating system in its distribution. |
2024-03-20 Update: Added patch versions for GKE on AWS and GKE on Azure
2024-02-14 Update: Added patch versions for GKE on VMware
2023-11-09 Update: Added CVE-2023-39325. Updated GKE versions with the latest patches for CVE-2023-44487 and CVE-2023-39325.
Updated: 2023-11-09
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. GKE clusters with authorized networks configured are protected by limiting network access, but all other clusters are affected. What should I do?2023-11-09 Update: We have released new versions of GKE that include the Go and Kubernetes security patches, which you can update your clusters to now. In the coming weeks we will release additional changes to the GKE control plane to further mitigate this issue. The following GKE versions have been updated with patches for CVE-2023-44487 and CVE-2023-39325:
We recommend that you apply the following mitigation as soon as possible and upgrade to the latest patched version when available. Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane, and also make the patches visible within GKE security posture when available for your cluster. To receive a Pub/Sub notification when a patch is available for your channel, enable cluster notifications. A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel. Mitigate by configuring authorized networks for control plane access: You can add authorized networks for existing clusters. To learn more see, authorized network for existing clusters. In addition to the authorized networks you add, there are preset IP addresses that can access the GKE control plane. To learn more about these addresses, see Access to control plane endpoints. The following items summarize the cluster isolation:
What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on GKE control plane nodes. |
High |
Updated: 2024-02-14
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. GKE on VMware creates Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability. What should I do?2024-02-14 Update: The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following patch versions or later:
If you have configured your GKE on VMware Kubernetes clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access. We recommend that you upgrade to the latest patch version, when available, as soon as possible. Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to. What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes. |
High |
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. GKE on AWS creates private Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability. What should I do?2024-03-20 Update: The following GKE on AWS versions have been updated with patches for CVE-2023-44487:
If you have configured your GKE on AWS to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access. We recommend that you upgrade to the latest patch version, when available, as soon as possible. Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to. What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes. |
High |
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. GKE on Azure creates private Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability. What should I do?2024-03-20 Update: The following GKE on Azure versions have been updated with patches for CVE-2023-44487:
If you have configured your GKE on Azure clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access. We recommend that you upgrade to the latest patch version, when available, as soon as possible. Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to.What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes. |
High |
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. Anthos on Bare Metal creates Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability. What should I do?If you have configured your Anthos on Bare Metal Kubernetes clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access. To learn more, see the GKE on Bare Metal security overview. We recommend that you upgrade to the latest patch version, when available, as soon as possible. Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to. What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes. |
High |
Description | Severity |
---|---|
Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy. GKE clusters are only affected if they include Windows nodes. What should I do?The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:
The GKE control plane will be updated the week of 2023-09-04 to update the csi-proxy to version 1.1.3. If you update your nodes prior to the control plane update, you will need to update your nodes again after the update to take advantage of the new proxy. You can update the nodes again, even without changing the node version, by running the A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your specific release channel. What vulnerabilities are addressed by this patch?With CVE-2023-3676, a malicious actor could craft a Pod spec with host path strings that contain PowerShell commands. Kubelet lacks input sanitization and passes this crafted path string to the command executor as an argument where it would execute parts of the string as separate commands. These commands would run with the same administrative privileges as Kubelet has. With CVE-2023-3955, Kubelet grants users who can create Pods the ability to execute code at the same permission level as the Kubelet agent, privileged permissions. With CVE-2023-3893, a similar lack of input sanitation lets a user who can create Pods on Windows nodes running kubernetes-csi-proxy to escalate to admin privileges on those nodes. Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded PowerShell commands are a strong indication of exploitation. ConfigMaps and Secrets that contain embedded PowerShell commands and are mounted into Pods are also a strong indication of exploitation. |
High |
Description | Severity |
---|---|
Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy. Clusters are only affected if they include Windows nodes. What should I do?What vulnerabilities are addressed by this patch?With CVE-2023-3676, a malicious actor could craft a Pod spec with host path strings that contain PowerShell commands. Kubelet lacks input sanitization and passes this crafted path string to the command executor as an argument where it would execute parts of the string as separate commands. These commands would run with the same administrative privileges as Kubelet has. With CVE-2023-3955, Kubelet grants users who can create Pods the ability to execute code at the same permission level as the Kubelet agent, privileged permissions. With CVE-2023-3893, a similar lack of input sanitation lets a user who can create Pods on Windows nodes running kubernetes-csi-proxy to escalate to admin privileges on those nodes. Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded PowerShell commands are a strong indication of exploitation. ConfigMaps and Secrets that contain embedded PowerShell commands and are mounted into Pods are also a strong indication of exploitation. |
High |
Description | Severity |
---|---|
Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy. What should I do?GKE on AWS is not affected by these CVEs. No action is required. |
None |
Description | Severity |
---|---|
Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy. What should I do?GKE on Azure is not affected by these CVEs. No action is required. |
None |
Description | Severity |
---|---|
Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy. What should I do?GKE on Bare Metal is not affected by these CVEs. No action is required. |
None |
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE Autopilot clusters are affected as GKE Autopilot nodes always use Container-Optimized OS node images. GKE Standard clusters with versions 1.25 or later that are running Container-Optimized OS node images are affected. GKE clusters are not affected if they are running only Ubuntu node images, or running versions before 1.25, or using GKE Sandbox. What should I do?The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel. What vulnerabilities are being addressed?With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. |
High |
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on VMware clusters are affected. What should I do?What vulnerabilities are being addressed?With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. |
High |
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on AWS clusters are affected. What should I do?What vulnerabilities are addressed by this patch?With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. |
High |
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on Azure clusters are affected. What should I do?What vulnerabilities are addressed by this patch?With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. |
High |
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE. What should I do?No action is required. |
None |