Rapid Vulnerability Detection overview

Stay organized with collections Save and categorize content based on your preferences.

This page provides an overview of Rapid Vulnerability Detection, including:

  • The scan targets that Rapid Vulnerability Detection supports
  • The types of scans that Rapid Vulnerability Detection performs
  • The types of vulnerabilities (scan findings) that Rapid Vulnerability Detection detects

This page also includes some best practices for testing Rapid Vulnerability Detection scans.

Overview

Rapid Vulnerability Detection, a built-in service of Security Command Center Premium, is a zero- configuration network and web application scanner that actively scans public endpoints to detect vulnerabilities that have a high likelihood of being exploited, such as weak credentials, incomplete software installations, and exposed administrator user interfaces. The service automatically discovers network endpoints, protocols, open ports, network services, and installed software packages.

Rapid Vulnerability Detection findings are early warnings of vulnerabilities that we recommend you fix immediately. You can view findings in the Security Command Center.

Supported scan targets

Rapid Vulnerability Detection supports the following resources:

  • Compute Engine
    • Rapid Vulnerability Detection supports only VMs that have a public IP address. VMs that are behind a firewall or that do not have a public IP address are excluded from scans.
  • Cloud Load Balancing
    • Rapid Vulnerability Detection supports only external load balancers.
  • Google Kubernetes Engine ingress
  • Cloud Run
    • Rapid Vulnerability Detection scans default domains that Cloud Run provides for your applications or custom domains configured for Cloud Run services behind external load balancers. Custom domains using built-in domain mapping are not supported. However, default domains are always available even when domain mapping is used.
  • App Engine
    • Rapid Vulnerability Detection scans only default domains that App Engine provides for your applications. Custom domains are not supported. However, default domains are always available even when custom domains are used.

Scans

Rapid Vulnerability Detection runs managed scans that detect N-day vulnerabilities, which are known vulnerabilities that can be exploited to gain arbitrary data access and allow remote code execution. Such vulnerabilities include weak credentials, incomplete software installations, and exposed administrator user interfaces.

When you enable the service, scans are automatically configured and managed by Security Command Center; your security teams don't need to provide target URLs or manually start scans. Rapid Vulnerability Detection uses Cloud Asset Inventory to retrieve information about new VMs and applications in your projects and runs scans once a week to find public endpoints and detect vulnerabilities.

Rapid Vulnerability Detection scans supported targets for open ports (HTTP, HTTPS, SSH, MySQL, and others), and evaluates scan targets to learn about installed web applications and exposed network services. Because Rapid Vulnerability Detection conducts multiple scans on public endpoints and uses "fingerprints" to identify known services, high-risk, high-severity vulnerabilities are reported with a minimal false-positive rate.

To learn more about the scan target assets that are supported by Rapid Vulnerability Detection, see Supported scan targets.

Scan findings and remediations

The following table lists Rapid Vulnerability Detection finding types and suggested remediation steps.

Rapid Vulnerability Detection scans identify the following finding types.

Finding type Finding description OWASP top 10 codes
Weak credential findings
WEAK_CREDENTIALS This detector checks for weak credentials using ncrack brute force methods.

Supported services: SSH, RDP, FTP, WordPress, TELNET, POP3, IMAP, VCS, SMB, SMB2, VNC, SIP, REDIS, PSQL, MYSQL, MSSQL, MQTT, MONGODB, WINRM, DICOM

Remediation: Enforce a strong password policy. Create unique credentials for your services and avoid using dictionary words in passwords.

2021
  A07

2017
  A2
Exposed interface findings
ELASTICSEARCH_API_EXPOSED The Elasticsearch API lets callers perform arbitrary queries, write and execute scripts, and add additional documents to the service.

Remediation: Remove direct access to the Elasticsearch API by routing requests through an application, or limit access to authenticated users only. For more information, see Security settings in Elasticsearch.

2021
  A01, A05

2017
  A5, A6
EXPOSED_GRAFANA_ENDPOINT

In Grafana 8.0.0 to 8.3.0, users can access without authentication an endpoint that has a directory traversal vulnerability that allows any user to read any file on the server without authentication. For more information, see CVE-2021-43798.

Remediation: Patch Grafana or upgrade Grafana to a later version. For more information, see Grafana path traversal.

2021
  A06, A07

2017
  A2, A9
EXPOSED_METABASE

Versions x.40.0 to x.40.4 of Metabase, an open source data analytics platform, contain a vulnerability in the custom GeoJSON map support and potential local file inclusion, including environment variables. URLs were not validated prior to being loaded. For more information, see CVE-2021-41277.

Remediation: Upgrade to maintenance releases 0.40.5 or later or 1.40.5 or later. For more information, see GeoJSON URL validation can expose server files and environment variables to unauthorized users.

2021
  A06

2017
  A3, A9
EXPOSED_SPRING_BOOT_ACTUATOR_ENDPOINT This detector checks whether sensitive Actuator endpoints of Spring Boot applications are exposed. Some of the default endpoints, like /heapdump, might expose sensitive information. Other endpoints, like /env, might lead to remote code execution. Currently, only /heapdump is checked.

Remediation: Disable access to sensitive Actuator endpoints. For more information, see Securing HTTP Endpoints.

2021
  A01, A05

2017
  A5, A6
HADOOP_YARN_UNAUTHENTICATED_RESOURCE_MANAGER_API This detector checks whether the Hadoop Yarn ResourceManager API, which controls the computation and storage resources of a Hadoop cluster, is exposed and allows unauthenticated code execution.

Remediation: Use access control lists with the API.

2021
  A01, A05

2017
  A5, A6
JAVA_JMX_RMI_EXPOSED The Java Management Extension (JMX) allows remote monitoring and diagnostics for Java applications. Running JMX with unprotected Remote Method Invocation endpoint allows any remote users to create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs.

Remediation: To properly configure remote monitoring, see Monitoring and Management Using JMX Technology.

2021
  A01, A05

2017
  A5, A6
JUPYTER_NOTEBOOK_EXPOSED_UI This detector checks whether an unauthenticated Jupyter Notebook is exposed. Jupyter allows remote code execution by design on the host machine. An unauthenticated Jupyter Notebook puts the hosting VM at risk of remote code execution.

Remediation: Add token authentication to your Jupyter Notebook server, or use more recent versions of Jupyter Notebook that use token authentication by default.

2021
  A01, A05

2017
  A5, A6
KUBERNETES_API_EXPOSED The Kubernetes API is exposed, and can be accessed by unauthenticated callers. This allows arbitrary code execution on the Kubernetes cluster.

Remediation: Require authentication for all API requests. For more information, see the Kubernetes API Authenticating guide.

2021
  A01, A05

2017
  A5, A6
UNFINISHED_WORDPRESS_INSTALLATION This detector checks whether a WordPress installation is unfinished. An unfinished WordPress installation exposes the /wp-admin/install.php page, which allows attacker to set the admin password and, possibly, compromise the system.

Remediation: Complete the WordPress installation.

2021
  A05

2017
  A6
UNAUTHENTICATED_JENKINS_NEW_ITEM_CONSOLE This detector checks for an unauthenticated Jenkins instance by sending a probe ping to the /view/all/newJob endpoint as an anonymous visitor. An authenticated Jenkins instance shows the createItem form, which allows the creation of arbitrary jobs that could lead to remote code execution.

Remediation: Follow Jenkins' guide on managing security to block unauthenticated access.

2021
  A01, A05

2017
  A5, A6
Vulnerable software findings
APACHE_HTTPD_RCE

A flaw was found in Apache HTTP Server 2.4.49 that allows an attacker to use a path traversal attack to map URLs to files outside the expected document root and see the source of interpreted files, like CGI scripts. This issue is known to be exploited in the wild. This issue affects Apache 2.4.49 and 2.4.50 but not earlier versions. For more information about this vulnerability, see:

  1. CVE record CVE-2021-41773
  2. Apache HTTP Server 2.4 vulnerabilities

Remediation: Protect files outside of the document root by configuring the "require all denied" directive in the Apache HTTP Server.

2021
  A01, A06

2017
  A5, A9
APACHE_HTTPD_SSRF

Attackers can craft a URI to the Apache web server that causes mod_proxy to forward the request to an origin server that is chosen by the attacker. This issue affects Apache HTTP server 2.4.48 and earlier. For more information about this vulnerability, see:

  1. CVE record CVE-2021-40438
  2. Apache HTTP Server 2.4 vulnerabilities

Remediation: Upgrade the Apache HTTP server to a later version.

2021
  A06, A10

2017
  A9
CONSUL_RCE

Attackers can execute arbitrary code on a Consul server because the Consul instance is configured with -enable-script-checks set to true and the Consul HTTP API is unsecured and accessible over the network. In Consul 0.9.0 and earlier, script checks are on by default. For more information, see Protecting Consul from RCE Risk in Specific Configurations. To check for this vulnerability, Rapid Vulnerability Detection registers a service on the Consul instance by using the /v1/health/service REST endpoint, which then executes one of the following:

  1. A curl command to a remote server outside of the network. An attacker can use the curl command to exfiltrate data from the server.
  2. A printf command. Rapid Vulnerability Detection then verifies the output of the command by using the /v1/health/service REST endpoint.

After the check, Rapid Vulnerability Detection cleans up and deregisters the service by using the /v1/agent/service/deregister/ REST endpoint.

Remediation: Set enable-script-checks to false in the Console instance configuration.

2021
  A05, A06

2017
  A6, A9
DRUID_RCE

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process. For more information, see CVE-2021-25646 Detail.

Remediation: Upgrade Apache Druid to later version.

2021
  A05, A06

2017
  A6, A9
DRUPAL_RCE

This category includes two vulnerabilities in Drupal. Multiple findings of this type can indicate more than one vulnerability.

Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are vulnerable to remote code execution on Form API AJAX requests.

Remediation: Upgrade to alternate Drupal versions.

2021
  A06

2017
  A9
Drupal versions 8.5.x before 8.5.11 and 8.6.x before 8.6.10 are vulnerable to remote code execution when either the RESTful Web Service module or the JSON:API is enabled. This vulnerability can be exploited by an unauthenticated attacker using a custom POST request.

Remediation: Upgrade to alternate Drupal versions.

2021
  A06

2017
  A9
FLINK_FILE_DISCLOSURE A vulnerability in Apache Flink versions 1.11.0, 1.11.1, and 1.11.2 lets attackers read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process.

Remediation: If your Flink instances are exposed, upgrade to Flink 1.11.3 or 1.12.0.

2021
  A01, A05, A06

2017
  A5, A6, A9
GITLAB_RCE

In GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.9 and later, GitLab does not properly validate image files that are passed to a file parser. An attacker can exploit this vulnerability for remote command execution.

Remediation: Upgrade to GitLab CE or EE release 13.10.3, 13.9.6, and 13.8.8 or later. For more information, see Action needed by self-managed customers in response to CVE-2021-22205.

2021
  A06

2017
  A9
GoCD_RCE

In GoCD 21.2.0 and earlier, there is an endpoint that can be accessed without authentication. This endpoint has a directory traversal vulnerability that allows a user to read any file on the server without authentication.

Remediation: Upgrade to version 21.3.0 or later. For more information, see Release notes of GoCD 21.3.0.

2021
  A06, A07

2017
  A2, A9
JENKINS_RCE Jenkins versions 2.56 and earlier, and 2.46.1 LTS and earlier are vulnerable to remote code execution. This vulnerability can be triggered by an unauthenticated attacker using a malicious serialized Java object.

Remediation: Install an alternate Jenkins version.

2021
  A06, A08

2017
  A8, A9
JOOMLA_RCE

This category includes two vulnerabilities in Joomla. Multiple findings of this type can indicate more than one vulnerability.

Joomla versions 1.5.x, 2.x, and 3.x before 3.4.6 are vulnerable to remote code execution. This vulnerability can be triggered with a crafted header containing serialized PHP objects.

Remediation: Install an alternate Joomla version.

2021
  A06, A08

2017
  A8, A9
Joomla versions 3.0.0 through 3.4.6 are vulnerable to remote code execution. This vulnerability can be triggered by sending a POST request that contains a crafted serialized PHP object.

Remediation: Install an alternate Joomla version.

2021
  A06

2017
  A9
LOG4J_RCE

In Apache Log4j2 2.14.1 and earlier, JNDI features that are used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. For more information, see CVE-2021-44228.

Remediation: For remediation information, see Apache Log4j Security Vulnerabilities.

2021
  A06

2017
  A9
MANTISBT_PRIVILEGE_ESCALATION MantisBT through version 2.3.0 allows arbitrary password reset and unauthenticated admin access by supplying an empty confirm_hash value to verify.php.

Remediation: Update MantisBT to a newer version or follow the Mantis instructions to apply a critical security fix.

2021
  A06

2017
  A9
OGNL_RCE

Confluence Server and Data Center instances contain an OGNL injection vulnerability that allows an unauthenticated attacker to execute arbitrary code. For more information, see CVE-2021-26084.

Remediation: For remediation information, see Confluence Server Webwork OGNL injection - CVE-2021-26084.

2021
  A03

2017
  A1
OPENAM_RCE

OpenAM server 14.6.2 and earlier and ForgeRock AM server 6.5.3 and earlier have a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application. For more information, see CVE-2021-35464.

Remediation: Upgrade to a more recent version. For information about the ForgeRock remediation, see AM Security Advisory #202104.

2021
  A06

2017
  A9
ORACLE_WEBLOGIC_RCE

Certain versions of the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) contain a vulnerability, including versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise an Oracle WebLogic Server. Successful attacks of this vulnerability can result in a takeover of Oracle WebLogic Server. For more information, see CVE-2020-14882.

Remediation: For patch information, see Oracle Critical Patch Update Advisory - October 2020.

2021
  A06, A07

2017
  A2, A9
PHPUNIT_RCE PHPUnit versions prior to 5.6.3 allow remote code execution with a single unauthenticated POST request.

Remediation: Upgrade to newer PHPUnit versions.

2021: A05
2017: A6
PHP_CGI_RCE PHP versions before 5.3.12, and versions 5.4.x before 5.4.2, when configured as a CGI script, allow remote code execution. The vulnerable code does not properly handle query strings that lack an = (equals sign) character. This lets attackers add command line options that are executed on the server.

Remediation: Install an alternate PHP version.

2021
  A05, A06

2017
  A6, A9
PORTAL_RCE Deserialization of untrusted data in Liferay Portal versions prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code through JSON web services.

Remediation: Upgrade to newer Liferay Portal versions.

2021
  A06, A08

2017
  A8, A9
REDIS_RCE

If a Redis instance does not require authentication to execute admin commands, attackers might be able to execute arbitrary code.

Remediation: Configure Redis to require authentication.

2021
  A01, A05

2017
  A5, A6
SOLR_FILE_EXPOSED

Authentication is not enabled in Apache Solr, an open source search server. When Apache Solr does not require authentication, an attacker can directly craft a request to enable a specific configuration, and eventually implement a server-side request forgery (SSRF) or read arbitrary files.

Remediation: Upgrade to alternate Apache Solr versions.

2021
  A07, A10

2017
  A2
SOLR_RCE Apache Solr versions 5.0.0 through Apache Solr 8.3.1 are vulnerable to remote code execution through the VelocityResponseWriter if params.resource.loader.enabled is set to true. This allows attackers to create a parameter that contains a malicious Velocity template.

Remediation: Upgrade to alternate Apache Solr versions.

2021
  A06

2017
  A9
STRUTS_RCE

This category includes three vulnerabilities in Apache Struts. Multiple findings of this type can indicate more than one vulnerability.

Apache Struts versions before 2.3.32 and 2.5.x before 2.5.10.1 are vulnerable to remote code execution. The vulnerability can be triggered by an unauthenticated attacker providing a crafted Content-Type header.

Remediation: Install an alternate Apache Struts version.

2021
  A06

2017
  A9
The REST plugin in Apache Struts versions 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 are vulnerable to remote code execution when deserializing crafted XML payloads.

Remediation: Install an alternate Apache Struts version.

2021
  A06, A08

2017
  A8, A9
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 are vulnerable to remote code execution when alwaysSelectFullNamespace is set to true and certain other action configurations exist.

Remediation: Install version 2.3.35 or 2.5.17.

2021
  A06

2017
  A9
TOMCAT_FILE_DISCLOSURE Apache Tomcat versions 9.x before 9.0.31, 8.x before 8.5.51, 7.x before 7.0.100, and all 6.x are vulnerable to source code and configuration disclosure through an exposed Apache JServ Protocol connector. In some cases, this is leveraged to perform remote code execution if file uploading is allowed.

Remediation: Upgrade to alternate Apache Tomcat versions.

2021
  A06

2017
  A3, A9
VBULLETIN_RCE vBulletin servers running versions 5.0.0 up to 5.5.4 are vulnerable to remote code execution. This vulnerability can be exploited by an unauthenticated attacker using a query parameter in a routestring request.

Remediation: Upgrade to alternate VMware vCenter Server versions.

2021
  A03, A06

2017
  A1, A9
VCENTER_RCE VMware vCenter Server versions 7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n are vulnerable to remote code execution. This vulnerability can be triggered by an attacker uploading a crafted Java Server Pages file to a web-accessible directory, then triggering execution of that file.

Remediation: Upgrade to alternate VMware vCenter Server versions.

2021
  A06

2017
  A9
WEBLOGIC_RCE

Certain versions of the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) contain a remote code execution vulnerability, including versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. This vulnerability is related to CVE-2020-14750, CVE-2020-14882, CVE-2020-14883. For more information, see CVE-2020-14883.

Remediation: For patch information, see Oracle Critical Patch Update Advisory - October 2020.

2021
  A06, A07

2017
  A2, A9

Finding example

Rapid Vulnerability Detection findings can be exported in JSON with the Security Command Center dashboard, Google Cloud CLI, or Security Command Center API. The JSON output for findings resembles the following:

  {
    "finding": {
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "WEAK_CREDENTIALS",
      "compliances": [
        {
          "ids": [
            "A2"
          ],
          "standard": "owasp",
          "version": "2017"
        },
        {
          "ids": [
            "A07"
          ],
          "standard": "owasp",
          "version": "2021"
        }
      ],
      "contacts": {
        "security": {
          "contacts": [
            {
              "email": "EMAIL_ADDRESS_1"
            },
            {
              "email": "EMAIL_ADDRESS_2"
            }
          ]
        },
        "technical": {
          "contacts": [
            {
              "email": "EMAIL_ADDRESS_3"
            }
          ]
        }
      },
      "createTime": "2021-08-19T06:26:20.038Z",
      "description": "Well known or weak credentials have been detected.",
      "eventTime": "2022-06-24T19:21:22.783Z",
      "findingClass": "MISCONFIGURATION",
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "securityMarks": {
        "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
      },
      "severity": "CRITICAL",
      "sourceProperties": {
        "description": "Well known or weak credentials have been detected.",
        "targets": [
          {
            "ipv4Address": {
              "address": "IP_ADDRESS",
              "subnetMask": 32
            },
            "port": PORT_NUMBER,
            "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE_NAME/instances/VM_NAME",
            "transportProtocol": "TCP"
          }
        ]
      },
      "state": "ACTIVE"
    },
    "resource": {
      "displayName": "PROJECT_NAME",
      "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parentDisplayName": "ORGANIZATION_NAME",
      "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
      "projectDisplayName": "PROJECT_NAME",
      "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "type": "google.cloud.resourcemanager.Project"
    }
  }

The preceding example uses the following placeholder variables:

  • EMAIL_ADDRESS_[N]: the email addresses of the individuals or entities to be notified when a finding is detected.
  • FINDING_ID: a unique value that identifies the finding.
  • IP_ADDRESS: the IP address at which the vulnerability was detected.
  • ORGANIZATION_ID: the identifier of the organization in which the vulnerability was found.
  • ORGANIZATION_NAME: the name of the organization in which the vulnerability was found.
  • PORT_NUMBER: the port number at which the vulnerability was detected.
  • PROJECT_ID: the alpha-numeric identifier of the project in which the vulnerability was found.
  • PROJECT_NUMBER: the numeric identifier of the project in which the vulnerability was found.
  • SOURCE_ID: the numeric ID, which is unique within your organization, that identifies the Security Command Center service that detected the vulnerability.
  • VM_NAME: the Compute Engine virtual machine (VM) on which the vulnerability was detected.
  • ZONE_NAME: the Compute Engine zone in which the scan target is located.

Best practices

Because Rapid Vulnerability Detection attempts to log into VMs and accesses exposed administrator user interfaces, it could potentially access sensitive data or impact your resources with undesirable results. Use Rapid Vulnerability Detection to scan test resources and, if possible, avoid using the service in production environments.

The following recommendations can be used to safeguard your resources:

  1. Run scans in a test environment. Create a separate Compute Engine project and load your application and data there. If you use the Google Cloud CLI, you can specify the target project as a command-line option when you upload your app.
  2. Use a test account. Create a user account that doesn't have access to sensitive data or harmful operations, and use it when scanning your VMs.
  3. Back up your data. Consider making a backup of your data before scanning.
  4. Scan non-production resources. Run scans on non-production resources to catch vulnerabilities before you deploy them in production.

Before you scan, carefully audit your application for any feature that might affect data or systems beyond the desired scope of your scan.

What's next