Rapid Vulnerability Detection overview

This page provides an overview of Rapid Vulnerability Detection, including:

The scan targets that Rapid Vulnerability Detection supports
The types of scans that Rapid Vulnerability Detection performs
The types of vulnerabilities (scan findings) that Rapid Vulnerability Detection detects

This page also includes some best practices for testing Rapid Vulnerability Detection scans.

Overview

Rapid Vulnerability Detection, a built-in service of Security Command Center Premium, is a zero-configuration network and web application scanner that actively scans public endpoints to detect vulnerabilities that have a high likelihood of being exploited, such as weak credentials, incomplete software installations, and exposed administrator user interfaces. The service automatically discovers network endpoints, protocols, open ports, network services, and installed software packages.

Rapid Vulnerability Detection findings are early warnings of vulnerabilities that we recommend you fix immediately. You can view findings in the Security Command Center.

Supported scan targets

Rapid Vulnerability Detection supports the following resources:

Compute Engine
- Rapid Vulnerability Detection supports only VMs that have a public IP address. VMs that are behind a firewall or that do not have a public IP address are excluded from scans.
Cloud Load Balancing
- Rapid Vulnerability Detection supports only external load balancers.
Google Kubernetes Engine ingress
Cloud Run
- Rapid Vulnerability Detection scans default domains that Cloud Run provides for your applications or custom domains configured for Cloud Run services behind external load balancers. Custom domains using built-in domain mapping are not supported. However, default domains are always available even when domain mapping is used.
App Engine
- Rapid Vulnerability Detection scans only default domains that App Engine provides for your applications. Custom domains are not supported. However, default domains are always available even when custom domains are used.

Scans

Rapid Vulnerability Detection runs managed scans that detect N-day vulnerabilities, which are known vulnerabilities that can be exploited to gain arbitrary data access and allow remote code execution. Such vulnerabilities include weak credentials, incomplete software installations, and exposed administrator user interfaces.

When you enable the service, scans are automatically configured and managed by Security Command Center; your security teams don't need to provide target URLs or manually start scans. Rapid Vulnerability Detection uses Cloud Asset Inventory to retrieve information about new VMs and applications in your projects and runs scans once a week to find public endpoints and detect vulnerabilities. The user agent that runs Rapid Vulnerability Detection is named TsunamiSecurityScanner in the Logs Explorer.

Rapid Vulnerability Detection scans supported targets for open ports (HTTP, HTTPS, SSH, MySQL, and others), and evaluates scan targets to learn about installed web applications and exposed network services. Because Rapid Vulnerability Detection conducts multiple scans on public endpoints and uses "fingerprints" to identify known services, high-risk, high-severity vulnerabilities are reported with a minimal false-positive rate.

To learn more about the scan target assets that are supported by Rapid Vulnerability Detection, see Supported scan targets.

Scan findings and remediations

The following table lists Rapid Vulnerability Detection finding types and suggested remediation steps.

Rapid Vulnerability Detection scans identify the following finding types.

Finding type	Finding description	OWASP top 10 codes
Weak credential findings
`WEAK_CREDENTIALS`	This detector checks for weak credentials using ncrack brute force methods. Supported services: SSH, RDP, FTP, WordPress, TELNET, POP3, IMAP, VCS, SMB, SMB2, VNC, SIP, REDIS, PSQL, MYSQL, MSSQL, MQTT, MONGODB, WINRM, DICOM Remediation: Enforce a strong password policy. Create unique credentials for your services and avoid using dictionary words in passwords.	2021 A07 2017 A2
Exposed interface findings
`ELASTICSEARCH_API_EXPOSED`	The Elasticsearch API lets callers perform arbitrary queries, write and execute scripts, and add additional documents to the service. Remediation: Remove direct access to the Elasticsearch API by routing requests through an application, or limit access to authenticated users only. For more information, see Security settings in Elasticsearch.	2021 A01, A05 2017 A5, A6
`EXPOSED_GRAFANA_ENDPOINT`	In Grafana 8.0.0 to 8.3.0, users can access without authentication an endpoint that has a directory traversal vulnerability that allows any user to read any file on the server without authentication. For more information, see CVE-2021-43798. Remediation: Patch Grafana or upgrade Grafana to a later version. For more information, see Grafana path traversal.	2021 A06, A07 2017 A2, A9
`EXPOSED_METABASE`	Versions x.40.0 to x.40.4 of Metabase, an open source data analytics platform, contain a vulnerability in the custom GeoJSON map support and potential local file inclusion, including environment variables. URLs were not validated prior to being loaded. For more information, see CVE-2021-41277. Remediation: Upgrade to maintenance releases 0.40.5 or later or 1.40.5 or later. For more information, see GeoJSON URL validation can expose server files and environment variables to unauthorized users.	2021 A06 2017 A3, A9
`EXPOSED_SPRING_BOOT_ACTUATOR_ENDPOINT`	This detector checks whether sensitive Actuator endpoints of Spring Boot applications are exposed. Some of the default endpoints, like `/heapdump`, might expose sensitive information. Other endpoints, like `/env`, might lead to remote code execution. Currently, only `/heapdump` is checked. Remediation: Disable access to sensitive Actuator endpoints. For more information, see Securing HTTP Endpoints.	2021 A01, A05 2017 A5, A6
`HADOOP_YARN_UNAUTHENTICATED_RESOURCE_MANAGER_API`	This detector checks whether the Hadoop Yarn ResourceManager API, which controls the computation and storage resources of a Hadoop cluster, is exposed and allows unauthenticated code execution. Remediation: Use access control lists with the API.	2021 A01, A05 2017 A5, A6
`JAVA_JMX_RMI_EXPOSED`	The Java Management Extension (JMX) allows remote monitoring and diagnostics for Java applications. Running JMX with unprotected Remote Method Invocation endpoint allows any remote users to create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs. Remediation: To properly configure remote monitoring, see Monitoring and Management Using JMX Technology.	2021 A01, A05 2017 A5, A6
`JUPYTER_NOTEBOOK_EXPOSED_UI`	This detector checks whether an unauthenticated Jupyter Notebook is exposed. Jupyter allows remote code execution by design on the host machine. An unauthenticated Jupyter Notebook puts the hosting VM at risk of remote code execution. Remediation: Add token authentication to your Jupyter Notebook server, or use more recent versions of Jupyter Notebook that use token authentication by default.	2021 A01, A05 2017 A5, A6
`KUBERNETES_API_EXPOSED`	The Kubernetes API is exposed, and can be accessed by unauthenticated callers. This allows arbitrary code execution on the Kubernetes cluster. Remediation: Require authentication for all API requests. For more information, see the Kubernetes API Authenticating guide.	2021 A01, A05 2017 A5, A6
`UNFINISHED_WORDPRESS_INSTALLATION`	This detector checks whether a WordPress installation is unfinished. An unfinished WordPress installation exposes the `/wp-admin/install.php` page, which allows attacker to set the admin password and, possibly, compromise the system. Remediation: Complete the WordPress installation.	2021 A05 2017 A6
`UNAUTHENTICATED_JENKINS_NEW_ITEM_CONSOLE`	This detector checks for an unauthenticated Jenkins instance by sending a probe ping to the `/view/all/newJob` endpoint as an anonymous visitor. An authenticated Jenkins instance shows the `createItem` form, which allows the creation of arbitrary jobs that could lead to remote code execution. Remediation: Follow Jenkins' guide on managing security to block unauthenticated access.	2021 A01, A05 2017 A5, A6
Vulnerable software findings
`APACHE_HTTPD_RCE`	A flaw was found in Apache HTTP Server 2.4.49 that allows an attacker to use a path traversal attack to map URLs to files outside the expected document root and see the source of interpreted files, like CGI scripts. This issue is known to be exploited in the wild. This issue affects Apache 2.4.49 and 2.4.50 but not earlier versions. For more information about this vulnerability, see: CVE record CVE-2021-41773 Apache HTTP Server 2.4 vulnerabilities Remediation: Protect files outside of the document root by configuring the "require all denied" directive in the Apache HTTP Server.	2021 A01, A06 2017 A5, A9
`APACHE_HTTPD_SSRF`	Attackers can craft a URI to the Apache web server that causes `mod_proxy` to forward the request to an origin server that is chosen by the attacker. This issue affects Apache HTTP server 2.4.48 and earlier. For more information about this vulnerability, see: CVE record CVE-2021-40438 Apache HTTP Server 2.4 vulnerabilities Remediation: Upgrade the Apache HTTP server to a later version.	2021 A06, A10 2017 A9
`CONSUL_RCE`	Attackers can execute arbitrary code on a Consul server because the Consul instance is configured with `-enable-script-checks` set to `true` and the Consul HTTP API is unsecured and accessible over the network. In Consul 0.9.0 and earlier, script checks are on by default. For more information, see Protecting Consul from RCE Risk in Specific Configurations. To check for this vulnerability, Rapid Vulnerability Detection registers a service on the Consul instance by using the `/v1/health/service` REST endpoint, which then executes one of the following: A `curl` command to a remote server outside of the network. An attacker can use the `curl` command to exfiltrate data from the server. A `printf` command. Rapid Vulnerability Detection then verifies the output of the command by using the `/v1/health/service` REST endpoint. After the check, Rapid Vulnerability Detection cleans up and deregisters the service by using the `/v1/agent/service/deregister/` REST endpoint. Remediation: Set enable-script-checks to `false` in the Console instance configuration.	2021 A05, A06 2017 A6, A9
`DRUID_RCE`	Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process. For more information, see CVE-2021-25646 Detail. Remediation: Upgrade Apache Druid to later version.	2021 A05, A06 2017 A6, A9
`DRUPAL_RCE` This category includes two vulnerabilities in Drupal. Multiple findings of this type can indicate more than one vulnerability.	Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are vulnerable to remote code execution on Form API AJAX requests. Remediation: Upgrade to alternate Drupal versions.	2021 A06 2017 A9
	Drupal versions 8.5.x before 8.5.11 and 8.6.x before 8.6.10 are vulnerable to remote code execution when either the RESTful Web Service module or the JSON:API is enabled. This vulnerability can be exploited by an unauthenticated attacker using a custom POST request. Remediation: Upgrade to alternate Drupal versions.	2021 A06 2017 A9
`FLINK_FILE_DISCLOSURE`	A vulnerability in Apache Flink versions 1.11.0, 1.11.1, and 1.11.2 lets attackers read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. Remediation: If your Flink instances are exposed, upgrade to Flink 1.11.3 or 1.12.0.	2021 A01, A05, A06 2017 A5, A6, A9
`GITLAB_RCE`	In GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.9 and later, GitLab does not properly validate image files that are passed to a file parser. An attacker can exploit this vulnerability for remote command execution. Remediation: Upgrade to GitLab CE or EE release 13.10.3, 13.9.6, and 13.8.8 or later. For more information, see Action needed by self-managed customers in response to CVE-2021-22205.	2021 A06 2017 A9
`GoCD_RCE`	In GoCD 21.2.0 and earlier, there is an endpoint that can be accessed without authentication. This endpoint has a directory traversal vulnerability that allows a user to read any file on the server without authentication. Remediation: Upgrade to version 21.3.0 or later. For more information, see Release notes of GoCD 21.3.0.	2021 A06, A07 2017 A2, A9
`JENKINS_RCE`	Jenkins versions 2.56 and earlier, and 2.46.1 LTS and earlier are vulnerable to remote code execution. This vulnerability can be triggered by an unauthenticated attacker using a malicious serialized Java object. Remediation: Install an alternate Jenkins version.	2021 A06, A08 2017 A8, A9
`JOOMLA_RCE` This category includes two vulnerabilities in Joomla. Multiple findings of this type can indicate more than one vulnerability.	Joomla versions 1.5.x, 2.x, and 3.x before 3.4.6 are vulnerable to remote code execution. This vulnerability can be triggered with a crafted header containing serialized PHP objects. Remediation: Install an alternate Joomla version.	2021 A06, A08 2017 A8, A9
	Joomla versions 3.0.0 through 3.4.6 are vulnerable to remote code execution. This vulnerability can be triggered by sending a POST request that contains a crafted serialized PHP object. Remediation: Install an alternate Joomla version.	2021 A06 2017 A9
`LOG4J_RCE`	In Apache Log4j2 2.14.1 and earlier, JNDI features that are used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. For more information, see CVE-2021-44228. Remediation: For remediation information, see Apache Log4j Security Vulnerabilities.	2021 A06 2017 A9
`MANTISBT_PRIVILEGE_ESCALATION`	MantisBT through version 2.3.0 allows arbitrary password reset and unauthenticated admin access by supplying an empty `confirm_hash` value to `verify.php`. Remediation: Update MantisBT to a newer version or follow the Mantis instructions to apply a critical security fix.	2021 A06 2017 A9
`OGNL_RCE`	Confluence Server and Data Center instances contain an OGNL injection vulnerability that allows an unauthenticated attacker to execute arbitrary code. For more information, see CVE-2021-26084. Remediation: For remediation information, see Confluence Server Webwork OGNL injection - CVE-2021-26084.	2021 A03 2017 A1
`OPENAM_RCE`	OpenAM server 14.6.2 and earlier and ForgeRock AM server 6.5.3 and earlier have a Java deserialization vulnerability in the `jato.pageSession` parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted `/ccversion/` request to the server. The vulnerability exists due to the usage of Sun ONE Application. For more information, see CVE-2021-35464. Remediation:* Upgrade to a more recent version. For information about the ForgeRock remediation, see AM Security Advisory #202104.	2021 A06 2017 A9
`ORACLE_WEBLOGIC_RCE`	Certain versions of the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) contain a vulnerability, including versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise an Oracle WebLogic Server. Successful attacks of this vulnerability can result in a takeover of Oracle WebLogic Server. For more information, see CVE-2020-14882. Remediation: For patch information, see Oracle Critical Patch Update Advisory - October 2020.	2021 A06, A07 2017 A2, A9
`PHPUNIT_RCE`	PHPUnit versions prior to 5.6.3 allow remote code execution with a single unauthenticated POST request. Remediation: Upgrade to newer PHPUnit versions.	2021: A05 2017: A6
`PHP_CGI_RCE`	PHP versions before 5.3.12, and versions 5.4.x before 5.4.2, when configured as a CGI script, allow remote code execution. The vulnerable code does not properly handle query strings that lack an `=` (equals sign) character. This lets attackers add command line options that are executed on the server. Remediation: Install an alternate PHP version.	2021 A05, A06 2017 A6, A9
`PORTAL_RCE`	Deserialization of untrusted data in Liferay Portal versions prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code through JSON web services. Remediation: Upgrade to newer Liferay Portal versions.	2021 A06, A08 2017 A8, A9
`REDIS_RCE`	If a Redis instance does not require authentication to execute admin commands, attackers might be able to execute arbitrary code. Remediation: Configure Redis to require authentication.	2021 A01, A05 2017 A5, A6
`SOLR_FILE_EXPOSED`	Authentication is not enabled in Apache Solr, an open source search server. When Apache Solr does not require authentication, an attacker can directly craft a request to enable a specific configuration, and eventually implement a server-side request forgery (SSRF) or read arbitrary files. Remediation: Upgrade to alternate Apache Solr versions.	2021 A07, A10 2017 A2
`SOLR_RCE`	Apache Solr versions 5.0.0 through Apache Solr 8.3.1 are vulnerable to remote code execution through the VelocityResponseWriter if `params.resource.loader.enabled` is set to `true`. This allows attackers to create a parameter that contains a malicious Velocity template. Remediation: Upgrade to alternate Apache Solr versions.	2021 A06 2017 A9
`STRUTS_RCE` This category includes three vulnerabilities in Apache Struts. Multiple findings of this type can indicate more than one vulnerability.	Apache Struts versions before 2.3.32 and 2.5.x before 2.5.10.1 are vulnerable to remote code execution. The vulnerability can be triggered by an unauthenticated attacker providing a crafted Content-Type header. Remediation: Install an alternate Apache Struts version.	2021 A06 2017 A9
	The REST plugin in Apache Struts versions 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 are vulnerable to remote code execution when deserializing crafted XML payloads. Remediation: Install an alternate Apache Struts version.	2021 A06, A08 2017 A8, A9
	Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 are vulnerable to remote code execution when `alwaysSelectFullNamespace` is set to `true` and certain other action configurations exist. Remediation: Install version 2.3.35 or 2.5.17.	2021 A06 2017 A9
`TOMCAT_FILE_DISCLOSURE`	Apache Tomcat versions 9.x before 9.0.31, 8.x before 8.5.51, 7.x before 7.0.100, and all 6.x are vulnerable to source code and configuration disclosure through an exposed Apache JServ Protocol connector. In some cases, this is leveraged to perform remote code execution if file uploading is allowed. Remediation: Upgrade to alternate Apache Tomcat versions.	2021 A06 2017 A3, A9
`VBULLETIN_RCE`	vBulletin servers running versions 5.0.0 up to 5.5.4 are vulnerable to remote code execution. This vulnerability can be exploited by an unauthenticated attacker using a query parameter in a `routestring` request. Remediation: Upgrade to alternate VMware vCenter Server versions.	2021 A03, A06 2017 A1, A9
`VCENTER_RCE`	VMware vCenter Server versions 7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n are vulnerable to remote code execution. This vulnerability can be triggered by an attacker uploading a crafted Java Server Pages file to a web-accessible directory, then triggering execution of that file. Remediation: Upgrade to alternate VMware vCenter Server versions.	2021 A06 2017 A9
`WEBLOGIC_RCE`	Certain versions of the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) contain a remote code execution vulnerability, including versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. This vulnerability is related to CVE-2020-14750, CVE-2020-14882, CVE-2020-14883. For more information, see CVE-2020-14883. Remediation: For patch information, see Oracle Critical Patch Update Advisory - October 2020.	2021 A06, A07 2017 A2, A9

Finding example

Rapid Vulnerability Detection findings can be exported in JSON with the Security Command Center dashboard, Google Cloud CLI, or Security Command Center API. The JSON output for findings resembles the following:

  {
    "finding": {
      "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/findings/FINDING_ID",
      "category": "WEAK_CREDENTIALS",
      "compliances": [
        {
          "ids": [
            "A2"
          ],
          "standard": "owasp",
          "version": "2017"
        },
        {
          "ids": [
            "A07"
          ],
          "standard": "owasp",
          "version": "2021"
        }
      ],
      "contacts": {
        "security": {
          "contacts": [
            {
              "email": "EMAIL_ADDRESS_1"
            },
            {
              "email": "EMAIL_ADDRESS_2"
            }
          ]
        },
        "technical": {
          "contacts": [
            {
              "email": "EMAIL_ADDRESS_3"
            }
          ]
        }
      },
      "createTime": "2021-08-19T06:26:20.038Z",
      "description": "Well known or weak credentials have been detected.",
      "eventTime": "2022-06-24T19:21:22.783Z",
      "findingClass": "MISCONFIGURATION",
      "mute": "UNDEFINED",
      "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID",
      "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID",
      "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "securityMarks": {
        "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
      },
      "severity": "CRITICAL",
      "sourceProperties": {
        "description": "Well known or weak credentials have been detected.",
        "targets": [
          {
            "ipv4Address": {
              "address": "IP_ADDRESS",
              "subnetMask": 32
            },
            "port": PORT_NUMBER,
            "resourceName": "//compute.googleapis.com/projects/PROJECT_ID/zones/ZONE_NAME/instances/VM_NAME",
            "transportProtocol": "TCP"
          }
        ]
      },
      "state": "ACTIVE"
    },
    "resource": {
      "displayName": "PROJECT_NAME",
      "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "parentDisplayName": "ORGANIZATION_NAME",
      "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
      "projectDisplayName": "PROJECT_NAME",
      "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER",
      "type": "google.cloud.resourcemanager.Project"
    }
  }

The preceding example uses the following placeholder variables:

EMAIL_ADDRESS_[N]: the email addresses of the individuals or entities to be notified when a finding is detected.
FINDING_ID: a unique value that identifies the finding.
IP_ADDRESS: the IP address at which the vulnerability was detected.
ORGANIZATION_ID: the identifier of the organization in which the vulnerability was found.
ORGANIZATION_NAME: the name of the organization in which the vulnerability was found.
PORT_NUMBER: the port number at which the vulnerability was detected.
PROJECT_ID: the alpha-numeric identifier of the project in which the vulnerability was found.
PROJECT_NUMBER: the numeric identifier of the project in which the vulnerability was found.
SOURCE_ID: the numeric ID, which is unique within your organization, that identifies the Security Command Center service that detected the vulnerability.
VM_NAME: the Compute Engine virtual machine (VM) on which the vulnerability was detected.
ZONE_NAME: the Compute Engine zone in which the scan target is located.

Best practices

Because Rapid Vulnerability Detection attempts to log into VMs and accesses exposed administrator user interfaces, it could potentially access sensitive data or impact your resources with undesirable results. Use Rapid Vulnerability Detection to scan test resources and, if possible, avoid using the service in production environments.

The following recommendations can be used to safeguard your resources:

Run scans in a test environment. Create a separate Compute Engine project and load your application and data there. If you use the Google Cloud CLI, you can specify the target project as a command-line option when you upload your app.
Use a test account. Create a user account that doesn't have access to sensitive data or harmful operations, and use it when scanning your VMs.
Back up your data. Consider making a backup of your data before scanning.
Scan non-production resources. Run scans on non-production resources to catch vulnerabilities before you deploy them in production.

Before you scan, carefully audit your application for any feature that might affect data or systems beyond the desired scope of your scan.

What's next

For instructions on enabling and using Rapid Vulnerability Detection, see Using Rapid Vulnerability Detection.
For information about testing, see Testing Rapid Vulnerability Detection.