Security bulletins

This page describes all security bulletins related to Cloud SQL.

To get the latest security bulletins, do one of the following:

Add the URL of this page to your feed reader.

Add the following feed URL directly to your feed reader:

https://cloud.google.com/feeds/cloud-sql-security-bulletins.xml

GCP-2023-007

Published: 2023-06-02

Description

Description Severity Notes

Description	Severity	Notes
A third-party researcher identified a Cloud SQL for SQL Server vulnerability, and the instance they triggered this vulnerability on was automatically detected by Google Cloud through a security alert. After the detection, Google Cloud contacted the researcher and the researcher reported the issue through the Google Cloud VRP program. Google Cloud resolved the issue by patching the security vulnerability by March 1, 2023. Google Cloud didn't find any compromised customer instances. What should I do? No further action is required for any customer. Cloud SQL for SQL Server has been updated to fix this vulnerability and the fix was rolled out to all instances in March 2023. No action is required. What vulnerabilities are being addressed? The vulnerability allowed customer administrator accounts to create triggers in the `tempdb` database and use those to gain `sysadmin` privileges in the instance. The `sysadmin` privileges would give the attacker access to system databases and partial access to the machine running that SQL Server instance. Because the attack requires access to a customer administrator account, this vulnerability didn't expose any customer data that the attacker didn't already have access to. Moreover, this vulnerability didn't give the attacker any access to other Cloud SQL for SQL Server instances. This issue was not a security incident and no data was compromised.	High

A third-party researcher identified a Cloud SQL for SQL Server vulnerability, and the instance they triggered this vulnerability on was automatically detected by Google Cloud through a security alert. After the detection, Google Cloud contacted the researcher and the researcher reported the issue through the Google Cloud VRP program. Google Cloud resolved the issue by patching the security vulnerability by March 1, 2023. Google Cloud didn't find any compromised customer instances.

What should I do?

No further action is required for any customer.

Cloud SQL for SQL Server has been updated to fix this vulnerability and the fix was rolled out to all instances in March 2023. No action is required.

What vulnerabilities are being addressed?

The vulnerability allowed customer administrator accounts to create triggers in the tempdb database and use those to gain sysadmin privileges in the instance. The sysadmin privileges would give the attacker access to system databases and partial access to the machine running that SQL Server instance.

Because the attack requires access to a customer administrator account, this vulnerability didn't expose any customer data that the attacker didn't already have access to. Moreover, this vulnerability didn't give the attacker any access to other Cloud SQL for SQL Server instances.

This issue was not a security incident and no data was compromised.

High