This page provides an overview of Rapid Vulnerability Detection, including:
- The scan targets that Rapid Vulnerability Detection supports
- The types of scans that Rapid Vulnerability Detection performs
- The types of vulnerabilities (scan findings) that Rapid Vulnerability Detection detects
This page also includes some best practices for testing Rapid Vulnerability Detection scans.
Overview
Rapid Vulnerability Detection, a built-in service of Security Command Center Premium, is a zero-configuration network and web application scanner that actively scans public endpoints to detect vulnerabilities that have a high likelihood of being exploited, such as weak credentials, incomplete software installations, and exposed administrator user interfaces. The service automatically discovers network endpoints, protocols, open ports, network services, and installed software packages.
Rapid Vulnerability Detection findings are early warnings of vulnerabilities that we recommend you fix immediately. You can view findings in the Security Command Center.
Supported scan targets
Rapid Vulnerability Detection supports the following resources:
- Compute Engine
- Rapid Vulnerability Detection supports only VMs that have a public IP address. VMs that are behind a firewall or that do not have a public IP address are excluded from scans.
- Cloud Load Balancing
- Rapid Vulnerability Detection supports only external load balancers.
- Google Kubernetes Engine ingress
- Cloud Run
- Rapid Vulnerability Detection scans default domains that Cloud Run provides for your applications or custom domains configured for Cloud Run services behind external load balancers. Custom domains using built-in domain mapping are not supported. However, default domains are always available even when domain mapping is used.
- App Engine
- Rapid Vulnerability Detection scans only default domains that App Engine provides for your applications. Custom domains are not supported. However, default domains are always available even when custom domains are used.
Scans
Rapid Vulnerability Detection runs managed scans that detect N-day vulnerabilities, which are known vulnerabilities that can be exploited to gain arbitrary data access and allow remote code execution. Such vulnerabilities include weak credentials, incomplete software installations, and exposed administrator user interfaces.
When you enable the service, scans are automatically configured and managed by Security Command Center; your security teams don't need to provide target URLs or manually start scans. Rapid Vulnerability Detection uses Cloud Asset Inventory to retrieve information about new VMs and applications in your projects and runs scans once a week to find public endpoints and detect vulnerabilities.
Rapid Vulnerability Detection scans supported targets for open ports (HTTP, HTTPS, SSH, MySQL, and others), and evaluates scan targets to learn about installed web applications and exposed network services. Because Rapid Vulnerability Detection conducts multiple scans on public endpoints and uses "fingerprints" to identify known services, high-risk, high-severity vulnerabilities are reported with a minimal false-positive rate.
To learn more about the scan target assets that are supported by Rapid Vulnerability Detection, see Supported scan targets.
Scan findings and remediations
The following table lists Rapid Vulnerability Detection finding types and suggested remediation steps.
Rapid Vulnerability Detection scans identify the following finding types.
Finding type | Finding description | OWASP top 10 codes |
---|---|---|
Weak credential findings | ||
WEAK_CREDENTIALS
|
This detector checks for weak credentials using ncrack brute force
methods. Supported services: SSH, RDP, FTP, WordPress, TELNET, POP3, IMAP, VCS, SMB, SMB2, VNC, SIP, REDIS, PSQL, MYSQL, MSSQL, MQTT, MONGODB, WINRM, DICOM Remediation: Enforce a strong password policy. Create unique credentials for your services and avoid using dictionary words in passwords. |
2021 A07 2017 A2 |
Exposed interface findings | ||
ELASTICSEARCH_API_EXPOSED
|
The
Elasticsearch API lets callers perform arbitrary queries, write and
execute scripts, and add additional documents to the service.
Remediation: Remove direct access to the Elasticsearch API by routing requests through an application, or limit access to authenticated users only. For more information, see Security settings in Elasticsearch. |
2021 A01, A05 2017 A5, A6 |
EXPOSED_GRAFANA_ENDPOINT
|
In Grafana 8.0.0 to 8.3.0, users can access without authentication an endpoint that has a directory traversal vulnerability that allows any user to read any file on the server without authentication. For more information, see CVE-2021-43798. Remediation: Patch Grafana or upgrade Grafana to a later version. For more information, see Grafana path traversal. |
2021 A06, A07 2017 A2, A9 |
EXPOSED_METABASE
|
Versions x.40.0 to x.40.4 of Metabase, an open source data analytics platform, contain a vulnerability in the custom GeoJSON map support and potential local file inclusion, including environment variables. URLs were not validated prior to being loaded. For more information, see CVE-2021-41277. Remediation: Upgrade to maintenance releases 0.40.5 or later or 1.40.5 or later. For more information, see GeoJSON URL validation can expose server files and environment variables to unauthorized users. |
2021 A06 2017 A3, A9 |
EXPOSED_SPRING_BOOT_ACTUATOR_ENDPOINT
|
This detector checks whether sensitive Actuator endpoints of
Spring Boot applications are exposed. Some of the default endpoints,
like /heapdump , might expose sensitive information. Other
endpoints, like /env , might lead to remote code execution.
Currently, only /heapdump is checked.
Remediation: Disable access to sensitive Actuator endpoints. For more information, see Securing HTTP Endpoints. |
2021 A01, A05 2017 A5, A6 |
HADOOP_YARN_UNAUTHENTICATED_RESOURCE_MANAGER_API
|
This detector checks whether the
Hadoop Yarn ResourceManager API, which controls the computation and
storage resources of a Hadoop cluster, is exposed and allows
unauthenticated code execution.
Remediation: Use access control lists with the API. |
2021 A01, A05 2017 A5, A6 |
JAVA_JMX_RMI_EXPOSED
|
The
Java Management Extension (JMX) allows remote monitoring and
diagnostics for Java applications. Running JMX with unprotected Remote
Method Invocation endpoint allows any remote users to create a
javax.management.loading.MLet MBean and use it to create new MBeans from
arbitrary URLs.
Remediation: To properly configure remote monitoring, see Monitoring and Management Using JMX Technology. |
2021 A01, A05 2017 A5, A6 |
JUPYTER_NOTEBOOK_EXPOSED_UI
|
This detector checks whether an unauthenticated
Jupyter Notebook is
exposed. Jupyter allows remote code execution by design on the host machine.
An unauthenticated Jupyter Notebook puts the hosting VM at risk of remote
code execution.
Remediation: Add token authentication to your Jupyter Notebook server, or use more recent versions of Jupyter Notebook that use token authentication by default. |
2021 A01, A05 2017 A5, A6 |
KUBERNETES_API_EXPOSED
|
The
Kubernetes API is exposed, and can be accessed by unauthenticated
callers. This allows arbitrary code execution on the Kubernetes cluster.
Remediation: Require authentication for all API requests. For more information, see the Kubernetes API Authenticating guide. |
2021 A01, A05 2017 A5, A6 |
UNFINISHED_WORDPRESS_INSTALLATION
|
This detector checks whether a WordPress installation is unfinished. An
unfinished WordPress installation exposes the
/wp-admin/install.php page, which allows attacker to set the
admin password and, possibly, compromise the system.
Remediation: Complete the WordPress installation. |
2021 A05 2017 A6 |
UNAUTHENTICATED_JENKINS_NEW_ITEM_CONSOLE
|
This detector checks for an unauthenticated
Jenkins instance by
sending a probe ping to the /view/all/newJob endpoint as an
anonymous visitor. An authenticated Jenkins instance shows the
createItem form, which allows the creation of
arbitrary jobs that could lead to remote code execution.
Remediation: Follow Jenkins' guide on managing security to block unauthenticated access. |
2021 A01, A05 2017 A5, A6 |
Vulnerable software findings | ||
APACHE_HTTPD_RCE
|
A flaw was found in Apache HTTP Server 2.4.49 that allows an attacker to use a path traversal attack to map URLs to files outside the expected document root and see the source of interpreted files, like CGI scripts. This issue is known to be exploited in the wild. This issue affects Apache 2.4.49 and 2.4.50 but not earlier versions. For more information about this vulnerability, see: Remediation: Protect files outside of the document root by configuring the "require all denied" directive in the Apache HTTP Server. |
2021 A01, A06 2017 A5, A9 |
APACHE_HTTPD_SSRF
|
Attackers can craft a URI to the Apache web server that causes
Remediation: Upgrade the Apache HTTP server to a later version. |
2021 A06, A10 2017 A9 |
CONSUL_RCE
|
Attackers can execute arbitrary code on a Consul server because the Consul instance is
configured with
After the check, Rapid Vulnerability Detection cleans up and deregisters the service by using
the Remediation: Set enable-script-checks to |
2021 A05, A06 2017 A6, A9 |
DRUID_RCE
|
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process. For more information, see CVE-2021-25646 Detail. Remediation: Upgrade Apache Druid to later version. |
2021 A05, A06 2017 A6, A9 |
DRUPAL_RCE
This category includes two vulnerabilities in Drupal. Multiple findings of this type can indicate more than one vulnerability. |
Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6,
and 8.5.x before 8.5.1 are vulnerable to remote code execution on Form API
AJAX requests.
Remediation: Upgrade to alternate Drupal versions. |
2021 A06 2017 A9 |
Drupal versions 8.5.x before 8.5.11 and 8.6.x before 8.6.10 are
vulnerable to remote code execution when either the RESTful Web Service
module or the JSON:API is enabled. This vulnerability can be exploited
by an unauthenticated attacker using a custom POST request.
Remediation: Upgrade to alternate Drupal versions. |
2021 A06 2017 A9 |
|
FLINK_FILE_DISCLOSURE
|
A vulnerability in
Apache Flink versions 1.11.0, 1.11.1, and 1.11.2 lets attackers read
any file on the local filesystem of the JobManager through the REST
interface of the JobManager process. Access is restricted to files
accessible by the JobManager process.
Remediation: If your Flink instances are exposed, upgrade to Flink 1.11.3 or 1.12.0. |
2021 A01, A05, A06 2017 A5, A6, A9 |
GITLAB_RCE
|
In GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.9 and later, GitLab does not properly validate image files that are passed to a file parser. An attacker can exploit this vulnerability for remote command execution. Remediation: Upgrade to GitLab CE or EE release 13.10.3, 13.9.6, and 13.8.8 or later. For more information, see Action needed by self-managed customers in response to CVE-2021-22205. |
2021 A06 2017 A9 |
GoCD_RCE
|
In GoCD 21.2.0 and earlier, there is an endpoint that can be accessed without authentication. This endpoint has a directory traversal vulnerability that allows a user to read any file on the server without authentication. Remediation: Upgrade to version 21.3.0 or later. For more information, see Release notes of GoCD 21.3.0. |
2021 A06, A07 2017 A2, A9 |
JENKINS_RCE
|
Jenkins versions 2.56 and earlier, and 2.46.1 LTS and earlier are
vulnerable to remote code execution. This vulnerability can be triggered
by an unauthenticated attacker using a malicious serialized Java
object.
Remediation: Install an alternate Jenkins version. |
2021 A06, A08 2017 A8, A9 |
JOOMLA_RCE
This category includes two vulnerabilities in Joomla. Multiple findings of this type can indicate more than one vulnerability. |
Joomla versions 1.5.x, 2.x, and 3.x before 3.4.6 are vulnerable to
remote code execution. This vulnerability can be triggered with a crafted
header containing serialized PHP objects.
Remediation: Install an alternate Joomla version. |
2021 A06, A08 2017 A8, A9 |
Joomla versions 3.0.0 through 3.4.6 are vulnerable to remote code
execution. This vulnerability can be triggered by sending a POST request that contains
a crafted serialized PHP object.
Remediation: Install an alternate Joomla version. |
2021 A06 2017 A9 |
|
LOG4J_RCE
|
In Apache Log4j2 2.14.1 and earlier, JNDI features that are used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. For more information, see CVE-2021-44228. Remediation: For remediation information, see Apache Log4j Security Vulnerabilities. |
2021 A06 2017 A9 |
MANTISBT_PRIVILEGE_ESCALATION
|
MantisBT through
version 2.3.0 allows arbitrary password reset and unauthenticated admin
access by supplying an empty confirm_hash value to
verify.php .
Remediation: Update MantisBT to a newer version or follow the Mantis instructions to apply a critical security fix. |
2021 A06 2017 A9 |
OGNL_RCE
|
Confluence Server and Data Center instances contain an OGNL injection vulnerability that allows an unauthenticated attacker to execute arbitrary code. For more information, see CVE-2021-26084. Remediation: For remediation information, see Confluence Server Webwork OGNL injection - CVE-2021-26084. |
2021 A03 2017 A1 |
OPENAM_RCE
|
OpenAM server 14.6.2 and earlier and ForgeRock AM server 6.5.3 and earlier have
a Java deserialization vulnerability in the Remediation: Upgrade to a more recent version. For information about the ForgeRock remediation, see AM Security Advisory #202104. |
2021 A06 2017 A9 |
ORACLE_WEBLOGIC_RCE
|
Certain versions of the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) contain a vulnerability, including versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise an Oracle WebLogic Server. Successful attacks of this vulnerability can result in a takeover of Oracle WebLogic Server. For more information, see CVE-2020-14882. Remediation: For patch information, see Oracle Critical Patch Update Advisory - October 2020. |
2021 A06, A07 2017 A2, A9 |
PHPUNIT_RCE
|
PHPUnit versions prior to 5.6.3 allow remote code execution with a
single unauthenticated POST request.
Remediation: Upgrade to newer PHPUnit versions. |
2021: A05 2017: A6 |
PHP_CGI_RCE
|
PHP versions before 5.3.12, and versions 5.4.x before 5.4.2, when
configured as a CGI script, allow remote code execution. The vulnerable
code does not properly handle query strings that lack an =
(equals sign) character. This lets attackers add command line options
that are executed on the server.
Remediation: Install an alternate PHP version. |
2021 A05, A06 2017 A6, A9 |
PORTAL_RCE
|
Deserialization of untrusted data in
Liferay Portal versions prior to 7.2.1 CE GA2 allows remote attackers
to execute arbitrary code through JSON web services.
Remediation: Upgrade to newer Liferay Portal versions. |
2021 A06, A08 2017 A8, A9 |
REDIS_RCE
|
If a Redis instance does not require authentication to execute admin commands, attackers might be able to execute arbitrary code. Remediation: Configure Redis to require authentication. |
2021 A01, A05 2017 A5, A6 |
SOLR_FILE_EXPOSED
|
Authentication is not enabled in Apache Solr, an open source search server. When Apache Solr does not require authentication, an attacker can directly craft a request to enable a specific configuration, and eventually implement a server-side request forgery (SSRF) or read arbitrary files. Remediation: Upgrade to alternate Apache Solr versions. |
2021 A07, A10 2017 A2 |
SOLR_RCE
|
Apache Solr versions 5.0.0 through Apache Solr 8.3.1 are vulnerable to
remote code execution through the VelocityResponseWriter if
params.resource.loader.enabled is set to
true . This allows attackers to create a parameter
that contains a malicious Velocity template.
Remediation: Upgrade to alternate Apache Solr versions. |
2021 A06 2017 A9 |
STRUTS_RCE
This category includes three vulnerabilities in Apache Struts. Multiple findings of this type can indicate more than one vulnerability. |
Apache Struts versions before 2.3.32 and 2.5.x before 2.5.10.1 are
vulnerable to remote code execution. The vulnerability can be triggered
by an unauthenticated attacker providing a crafted Content-Type
header.
Remediation: Install an alternate Apache Struts version. |
2021 A06 2017 A9 |
The
REST plugin in Apache Struts versions 2.1.1 through 2.3.x before
2.3.34 and 2.5.x before 2.5.13 are vulnerable to remote code execution
when deserializing crafted XML payloads.
Remediation: Install an alternate Apache Struts version. |
2021 A06, A08 2017 A8, A9 |
|
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 are vulnerable
to remote code execution when alwaysSelectFullNamespace is
set to true and certain other action configurations exist.
Remediation: Install version 2.3.35 or 2.5.17. |
2021 A06 2017 A9 |
|
TOMCAT_FILE_DISCLOSURE
|
Apache Tomcat versions 9.x before 9.0.31, 8.x before 8.5.51, 7.x before
7.0.100, and all 6.x are vulnerable to source code and configuration
disclosure through an exposed Apache JServ Protocol connector. In some
cases, this is leveraged to perform remote code execution if file uploading
is allowed.
Remediation: Upgrade to alternate Apache Tomcat versions. |
2021 A06 2017 A3, A9 |
VBULLETIN_RCE
|
vBulletin servers running versions 5.0.0 up to 5.5.4 are vulnerable
to remote code execution. This vulnerability can be exploited by an
unauthenticated attacker using a query parameter in a routestring
request.
Remediation: Upgrade to alternate VMware vCenter Server versions. |
2021 A03, A06 2017 A1, A9 |
VCENTER_RCE
|
VMware vCenter Server versions 7.x before 7.0 U1c, 6.7 before 6.7 U3l
and 6.5 before 6.5 U3n are vulnerable to remote code execution. This
vulnerability can be triggered by an attacker uploading a crafted Java
Server Pages file to a web-accessible directory, then triggering execution
of that file.
Remediation: Upgrade to alternate VMware vCenter Server versions. |
2021 A06 2017 A9 |
WEBLOGIC_RCE
|
Certain versions of the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) contain a remote code execution vulnerability, including versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. This vulnerability is related to CVE-2020-14750, CVE-2020-14882, CVE-2020-14883. For more information, see CVE-2020-14883. Remediation: For patch information, see Oracle Critical Patch Update Advisory - October 2020. |
2021 A06, A07 2017 A2, A9 |
Finding example
Rapid Vulnerability Detection findings can be exported in JSON with the Security Command Center dashboard, Google Cloud CLI, or Security Command Center API. The JSON output for findings resembles the following:
{
"finding": {
"canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
"category": "WEAK_CREDENTIALS",
"compliances": [
{
"ids": [
"A2"
],
"standard": "owasp",
"version": "2017"
},
{
"ids": [
"A07"
],
"standard": "owasp",
"version": "2021"
}
],
"contacts": {
"security": {
"contacts": [
{
"email": "EMAIL_ADDRESS_1"
},
{
"email": "EMAIL_ADDRESS_2"
}
]
},
"technical": {
"contacts": [
{
"email": "EMAIL_ADDRESS_3"
}
]
}
},
"createTime": "2021-08-19T06:26:20.038Z",
"description": "Well known or weak credentials have been detected.",
"eventTime": "2022-06-24T19:21:22.783Z",
"findingClass": "MISCONFIGURATION",
"mute": "UNDEFINED",
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
"parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
"resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"securityMarks": {
"name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
},
"severity": "CRITICAL",
"sourceProperties": {
"description": "Well known or weak credentials have been detected.",
"targets": [
{
"ipv4Address": {
"address": "IP_ADDRESS",
"subnetMask": 32
},
"port": PORT_NUMBER,
"resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE_NAME/instances/VM_NAME",
"transportProtocol": "TCP"
}
]
},
"state": "ACTIVE"
},
"resource": {
"displayName": "PROJECT_NAME",
"name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"parentDisplayName": "ORGANIZATION_NAME",
"parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
"projectDisplayName": "PROJECT_NAME",
"projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
"type": "google.cloud.resourcemanager.Project"
}
}
The preceding example uses the following placeholder variables:
EMAIL_ADDRESS_[N]
: the email addresses of the individuals or entities to be notified when a finding is detected.FINDING_ID
: a unique value that identifies the finding.IP_ADDRESS
: the IP address at which the vulnerability was detected.ORGANIZATION_ID
: the identifier of the organization in which the vulnerability was found.ORGANIZATION_NAME
: the name of the organization in which the vulnerability was found.PORT_NUMBER
: the port number at which the vulnerability was detected.PROJECT_ID
: the alpha-numeric identifier of the project in which the vulnerability was found.PROJECT_NUMBER
: the numeric identifier of the project in which the vulnerability was found.SOURCE_ID
: the numeric ID, which is unique within your organization, that identifies the Security Command Center service that detected the vulnerability.VM_NAME
: the Compute Engine virtual machine (VM) on which the vulnerability was detected.ZONE_NAME
: the Compute Engine zone in which the scan target is located.
Best practices
Because Rapid Vulnerability Detection attempts to log into VMs and accesses exposed administrator user interfaces, it could potentially access sensitive data or impact your resources with undesirable results. Use Rapid Vulnerability Detection to scan test resources and, if possible, avoid using the service in production environments.
The following recommendations can be used to safeguard your resources:
- Run scans in a test environment. Create a separate Compute Engine project and load your application and data there. If you use the Google Cloud CLI, you can specify the target project as a command-line option when you upload your app.
- Use a test account. Create a user account that doesn't have access to sensitive data or harmful operations, and use it when scanning your VMs.
- Back up your data. Consider making a backup of your data before scanning.
- Scan non-production resources. Run scans on non-production resources to catch vulnerabilities before you deploy them in production.
Before you scan, carefully audit your application for any feature that might affect data or systems beyond the desired scope of your scan.
What's next
- For instructions on enabling and using Rapid Vulnerability Detection, see Using Rapid Vulnerability Detection.
- For information about testing, see Testing Rapid Vulnerability Detection.