Vulnerability fixes

Upgrading a cluster to the latest Google Distributed Cloud version brings added features and fixes to your cluster. With each patch release, we fix numerous security vulnerabilities which makes upgrading to the latest recommended patch version all the more important. Upgrading is a shared responsibility between Google and the customer. For more information about shared responsibilities, see Shared Responsibility Model.

This page is for Security specialists who support the resolution of security issues or vulnerabilities which need strategic assistance, such as incidents and issues escalated from support. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE Enterprise user roles and tasks.

How vulnerabilities are classified

Security vulnerabilities are usually identified through the Common Vulnerabilities and Exposures (CVE) system. The GKE Enterprise security team classifies vulnerabilities according to the Kubernetes vulnerability scoring system. Classifications consider many factors including GKE, GKE Enterprise, and Google Distributed Cloud configuration and security hardening. Because of these factors and the investments Google Cloud makes in security, these vulnerability classifications might differ from other classification sources.

The following table describes vulnerability severity categories:

Severity Description
Critical A vulnerability easily exploitable in all clusters by an unauthenticated remote attacker that leads to full system compromise.
High A vulnerability easily exploitable for many clusters that leads to loss of confidentiality, integrity, or availability.
Medium A vulnerability exploitable for some clusters where loss of confidentiality, integrity, or availability is limited by common configurations, difficulty of the exploit itself, required access, or user interaction.
Low All other vulnerabilities. Exploitation is unlikely or consequences of exploitation are limited.

Security bulletins

Most vulnerabilities are fixed in supported versions of Google Distributed Cloud before they can be exploited. When there are reported incidents that have the potential to compromise the security of your clusters and data, we publish security bulletins. A security bulletin describes the security issue and its impact and provides a mitigation. For more information and a list of published bulletins, see the Security bulletins page.

When a security bulletin is published for a vulnerability that affects Google Distributed Cloud (software only) on bare metal, we publish a corresponding release note with a link to the bulletin.

Fixed vulnerabilities by Google Distributed Cloud patch version

The following table lists all vulnerabilities that have been fixed, starting in January 2025. For older fixes, see the release notes. The fixes in the following table are listed by Google Distributed Cloud release version and severity:

Minor Patch and severity Vulnerabilities fixed
1.29 1.29.900-gke.180:
Critical Severity		 N/A
1.29.900-gke.180:
High Severity		 CVE-2015-20107, CVE-2020-10735, CVE-2020-16156, CVE-2021-3737, CVE-2022-0934, CVE-2022-1304, CVE-2022-45061, CVE-2022-48733, CVE-2023-3676, CVE-2023-3955, CVE-2023-5528, CVE-2023-24329, CVE-2023-39325, CVE-2024-0793, CVE-2024-6232, CVE-2024-7592, CVE-2024-38577, CVE-2024-41011, CVE-2024-42228, CVE-2024-42280, CVE-2024-42284, CVE-2024-42285, CVE-2024-42301, CVE-2024-42302, CVE-2024-42313, CVE-2024-43839, CVE-2024-43858, CVE-2024-43882, CVE-2024-44974, CVE-2024-44987, CVE-2024-44998, CVE-2024-44999, CVE-2024-46673, CVE-2024-46674, CVE-2024-46722, CVE-2024-46723, CVE-2024-46724, CVE-2024-46725, CVE-2024-46731, CVE-2024-46738, CVE-2024-46740, CVE-2024-46743, CVE-2024-46744, CVE-2024-46747, CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759, CVE-2024-46782, CVE-2024-46798, CVE-2024-46800, CVE-2024-46804, CVE-2024-46814, CVE-2024-46815, CVE-2024-46818, CVE-2024-46828, CVE-2024-46844, GHSA-m425-mq94-257g
1.29.900-gke.180:
Medium Severity		 CVE-2021-3669, CVE-2021-3733, CVE-2021-4189, CVE-2023-2431, CVE-2023-2727, CVE-2023-2728, CVE-2023-3978, CVE-2023-27043, CVE-2023-31083, CVE-2023-40217, CVE-2023-44487, CVE-2023-52889, CVE-2024-29018, CVE-2024-41098, CVE-2024-42114, CVE-2024-42246, CVE-2024-42259, CVE-2024-42272, CVE-2024-42283, CVE-2024-42286, CVE-2024-42287, CVE-2024-42288, CVE-2024-42289, CVE-2024-42297, CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-43828, CVE-2024-43829, CVE-2024-43834, CVE-2024-43835, CVE-2024-43846, CVE-2024-43849, CVE-2024-43853, CVE-2024-43854, CVE-2024-43856, CVE-2024-43860, CVE-2024-43861, CVE-2024-43871, CVE-2024-43884, CVE-2024-43889, CVE-2024-43890, CVE-2024-43892, CVE-2024-43893, CVE-2024-43894, CVE-2024-43905, CVE-2024-43907, CVE-2024-43908, CVE-2024-43914, CVE-2024-44935, CVE-2024-44944, CVE-2024-44946, CVE-2024-44947, CVE-2024-44954, CVE-2024-44960, CVE-2024-44965, CVE-2024-44968, CVE-2024-44971, CVE-2024-44988, CVE-2024-44989, CVE-2024-44990, CVE-2024-44995, CVE-2024-45003, CVE-2024-45006, CVE-2024-45016, CVE-2024-45018, CVE-2024-45021, CVE-2024-45025, CVE-2024-45028, CVE-2024-46675, CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685, CVE-2024-46689, CVE-2024-46702, CVE-2024-46707, CVE-2024-46714, CVE-2024-46719, CVE-2024-46721, CVE-2024-46737, CVE-2024-46739, CVE-2024-46750, CVE-2024-46755, CVE-2024-46763, CVE-2024-46771, CVE-2024-46777, CVE-2024-46780, CVE-2024-46781, CVE-2024-46783, CVE-2024-46791, CVE-2024-46817, CVE-2024-46819, CVE-2024-46822, CVE-2024-46829, CVE-2024-46840, CVE-2024-47663, GHSA-jq35-85cj-fj4p, GHSA-r4pg-vg54-wxx4
1.29.900-gke.180:
Low Severity		 CVE-2018-7738, CVE-2021-3426, CVE-2021-28861, CVE-2021-29921, CVE-2021-36084, CVE-2021-36085, CVE-2021-36086, CVE-2021-36087, CVE-2022-42919, CVE-2023-6597, CVE-2023-28450, CVE-2023-50387, CVE-2023-50868, CVE-2024-0397, CVE-2024-4032, CVE-2024-8088, CVE-2024-8508, CVE-2024-8775, CVE-2024-9287, CVE-2024-9902, CVE-2024-11168, CVE-2024-43841, CVE-2024-52533

For more information about fixes and changes for a given release, see the release notes: