Security Bulletins

The following security bulletins are related to Google Cloud products.

Use this XML feed to subscribe to security bulletins for this page.

GCP-2022-001

Published: 2022-01-06

Description

Description Severity Notes

Description	Severity	Notes
A potential Denial of Service issue in `protobuf-java` was discovered in the parsing procedure for binary data. What should I do? Ensure that you're using the latest versions of the following software packages: `protobuf-java` (3.16.1, 3.18.2, 3.19.2) `protobuf-kotlin` (3.18.2, 3.19.2) `google-protobuf` [JRuby gem] (3.19.2) Protobuf "javalite" users (typically Android) are not affected. What vulnerabilities are addressed by this patch? The patch mitigates the following vulnerability: An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated garbage collection pauses.	High	CVE-2021-22569

A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.

What should I do?

Ensure that you're using the latest versions of the following software packages:

protobuf-java (3.16.1, 3.18.2, 3.19.2)
protobuf-kotlin (3.18.2, 3.19.2)
google-protobuf [JRuby gem] (3.19.2)

Protobuf "javalite" users (typically Android) are not affected.

What vulnerabilities are addressed by this patch?

The patch mitigates the following vulnerability:

An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated garbage collection pauses.

High

CVE-2021-22569

GCP-2021-024

Published: 2021-10-21

Description

Description	Severity	Notes
A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allows retrieval of ingress-nginx service account tokens and secrets across all namespaces. For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on bare metal security bulletin	None	CVE-2021-25742

Severity

Notes

A security issue was discovered in the Kubernetes ingress-nginx controller, CVE-2021-25742. Ingress-nginx custom snippets allows retrieval of ingress-nginx service account tokens and secrets across all namespaces.

For instructions and more details, see the:

None

CVE-2021-25742

GCP-2021-019

Published: 2021-09-29

Description

Description Severity Notes

Description	Severity	Notes
There is a known issue where updating a `BackendConfig` resource using the `v1beta1` API removes an active Google Cloud Armor security policy from its service. For instructions and more details, see the GKE security bulletin.	Low

There is a known issue where updating a BackendConfig resource using the v1beta1 API removes an active Google Cloud Armor security policy from its service.

For instructions and more details, see the GKE security bulletin.

Low

GCP-2021-022

Published: 2021-09-22

Description

Description	Severity	Notes
A vulnerability has been discovered in the Anthos Identity Service (AIS) LDAP module of Anthos clusters on VMware versions 1.8 and 1.8.1 where a seed key used in generating keys is predictable. With this vulnerability, an authenticated user could add arbitrary claims and escalate privileges indefinitely. For instructions and more details, see the Anthos clusters on VMware security bulletin.	High

Severity

Notes

A vulnerability has been discovered in the Anthos Identity Service (AIS) LDAP module of Anthos clusters on VMware versions 1.8 and 1.8.1 where a seed key used in generating keys is predictable. With this vulnerability, an authenticated user could add arbitrary claims and escalate privileges indefinitely.

For instructions and more details, see the Anthos clusters on VMware security bulletin.

High

GCP-2021-021

Published: 2021-09-22

Description

Description	Severity	Notes
A security vulnerability, CVE-2020-8561, has been discovered in Kubernetes where certain webhooks can be made to redirect kube-apiserver requests to private networks of that API server. For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on bare metal security bulletin	Medium	CVE-2020-8561

Severity

Notes

A security vulnerability, CVE-2020-8561, has been discovered in Kubernetes where certain webhooks can be made to redirect kube-apiserver requests to private networks of that API server.

For instructions and more details, see the:

Medium

CVE-2020-8561

GCP-2021-023

Published: 2021-09-21

Description

Description	Severity	Notes
Per VMware security advisory VMSA-2021-0020, VMware received reports of multiple vulnerabilities in vCenter. VMware has made updates available to remediate these vulnerabilities in affected VMware products. We have already applied the patches provided by VMware for the vSphere stack to Google Cloud VMware Engine per the VMware security advisory. This update addresses the security vulnerabilities described in CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, and CVE-2021-22010. Other non-critical security issues will be addressed in the upcoming VMware stack upgrade (per the advance notice sent in July, more details will be provided soon on the specific timeline of the upgrade). VMware Engine impact Based on our investigations, no customers were found to be impacted. What should I do? Because VMware Engine clusters are not affected by this vulnerability, no further action is required.	Critical	VMSA-2021-0020 CVE-2021-22005 CVE-2021-22006 CVE-2021-22007 CVE-2021-22008 CVE-2021-22010

Severity

Notes

Per VMware security advisory VMSA-2021-0020, VMware received reports of multiple vulnerabilities in vCenter. VMware has made updates available to remediate these vulnerabilities in affected VMware products.

We have already applied the patches provided by VMware for the vSphere stack to Google Cloud VMware Engine per the VMware security advisory. This update addresses the security vulnerabilities described in CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, and CVE-2021-22010. Other non-critical security issues will be addressed in the upcoming VMware stack upgrade (per the advance notice sent in July, more details will be provided soon on the specific timeline of the upgrade).

VMware Engine impact

Based on our investigations, no customers were found to be impacted.

What should I do?

Because VMware Engine clusters are not affected by this vulnerability, no further action is required.

Critical

GCP-2021-020

Published: 2021-09-17

Description

Description Severity Notes

Description	Severity	Notes
Certain Google Cloud load balancers routing to an Identity-Aware Proxy (IAP) enabled Backend Service could have been vulnerable to an untrusted party under limited conditions. This addresses an issue reported through our Vulnerability Reward Program. The conditions were that the servers: Were HTTP(S) load balancers and Used a default backend or a backend that had a wildcard host mapping rule (that is, host="") In addition, a user in your organization must have clicked a specifically-crafted link sent by an untrusted party. This issue has now been resolved. IAP has been updated to issue cookies only to authorized hosts as of September 17, 2021. A host is considered authorized if it matches at least one Subject Alternative Name (SAN) in one of the certificates installed on your load balancers. What to do Some of your users may experience an HTTP 401 Unauthorized response with an IAP error code 52 while trying to access apps or services. This error code means that the client sent a `Host`* header which does not match any Subject Alternative Names associated with the load balancer's SSL certificate(s). The load balancer administrator needs to update the SSL certificate to ensure that the Subject Alternative Name (SAN) list contains all the hostnames through which users are accessing the IAP-protected apps or services. Learn more about IAP error codes.	High

Certain Google Cloud load balancers routing to an Identity-Aware Proxy (IAP) enabled Backend Service could have been vulnerable to an untrusted party under limited conditions. This addresses an issue reported through our Vulnerability Reward Program.

The conditions were that the servers:

Were HTTP(S) load balancers and
Used a default backend or a backend that had a wildcard host mapping rule (that is, host="*")

In addition, a user in your organization must have clicked a specifically-crafted link sent by an untrusted party.

This issue has now been resolved. IAP has been updated to issue cookies only to authorized hosts as of September 17, 2021. A host is considered authorized if it matches at least one Subject Alternative Name (SAN) in one of the certificates installed on your load balancers.

What to do

Some of your users may experience an HTTP 401 Unauthorized response with an IAP error code 52 while trying to access apps or services. This error code means that the client sent a Host header which does not match any Subject Alternative Names associated with the load balancer's SSL certificate(s). The load balancer administrator needs to update the SSL certificate to ensure that the Subject Alternative Name (SAN) list contains all the hostnames through which users are accessing the IAP-protected apps or services. Learn more about IAP error codes.

High

GCP-2021-018

Published: 2021-09-15
Updated: 2021-09-20

Description

Description	Severity	Notes
A security issue was discovered in Kubernetes, CVE-2021-25741, where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on bare metal security bulletin	High	CVE-2021-25741

Severity

Notes

A security issue was discovered in Kubernetes, CVE-2021-25741, where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.

For instructions and more details, see the:

High

CVE-2021-25741

GCP-2021-017

Published: 2021-09-01
Updated: 2021-09-23

Description

Description	Severity	Notes
2021-09-23 update: Containers running inside of GKE Sandbox are unaffected by this vulnerability for attacks originating inside the container. Two security vulnerabilities, CVE-2021-33909 and CVE-2021-33910, have been discovered in the Linux kernel that can lead to an OS crash or an escalation to root by an unprivileged user. This vulnerability affects all GKE node operating systems (COS and Ubuntu). For instructions and more details, see the following security bulletins: GKE security bulletin. Anthos clusters on AWS security bulletin.	High	CVE-2021-33909, CVE-2021-33910

Severity

Notes

2021-09-23 update: Containers running inside of GKE Sandbox are unaffected by this vulnerability for attacks originating inside the container.

Two security vulnerabilities, CVE-2021-33909 and CVE-2021-33910, have been discovered in the Linux kernel that can lead to an OS crash or an escalation to root by an unprivileged user. This vulnerability affects all GKE node operating systems (COS and Ubuntu).

For instructions and more details, see the following security bulletins:

High

CVE-2021-33909, CVE-2021-33910

GCP-2021-016

Published: 2021-08-24

Description

Description Severity Notes

Description	Severity	Notes
The following Envoy and Istio CVEs expose Anthos Service Mesh and Istio on GKE to remotely exploitable vulnerabilities: CVE-2021-39156: HTTP requests with a fragment (a section in the end of a URI that begins with a `#` character) in the URI path could bypass Istio's URI path-based authorization policies. CVE-2021-39155: HTTP requests could potentially bypass an Istio authorization policy when using rules based on `hosts` or `notHosts`. CVE-2021-32781: Affects Envoy's `decompressor`, `json-transcoder`, or `grpc-web` extensions or proprietary extensions that modify and increase the size of request or response bodies. Modifying and increasing the size of the body in an Envoy's extension beyond the internal buffer size could lead to Envoy accessing deallocated memory and terminating abnormally. CVE-2021-32780: An untrusted upstream service could cause Envoy to terminate abnormally by sending the `GOAWAY` frame followed by the `SETTINGS` frame with the `SETTINGS_MAX_CONCURRENT_STREAMS` parameter set to `0`. (Not applicable to Istio on GKE) CVE-2021-32778: An Envoy client opening and then resetting a large number of HTTP/2 requests could lead to excessive CPU consumption. (Not applicable to Istio on GKE) CVE-2021-32777: HTTP requests with multiple value headers could do an incomplete authorization policy check when the `ext_authz` extension is used. For instructions and more details, see the following security bulletins: Anthos Service Mesh security bulletin. Istio on GKE security bulletin.	High	CVE-2021-39156 CVE-2021-39155 CVE-2021-32781 CVE-2021-32780 CVE-2021-32778 CVE-2021-32777

The following Envoy and Istio CVEs expose Anthos Service Mesh and Istio on GKE to remotely exploitable vulnerabilities:

CVE-2021-39156: HTTP requests with a fragment (a section in the end of a URI that begins with a # character) in the URI path could bypass Istio's URI path-based authorization policies.
CVE-2021-39155: HTTP requests could potentially bypass an Istio authorization policy when using rules based on hosts or notHosts.
CVE-2021-32781: Affects Envoy's decompressor, json-transcoder, or grpc-web extensions or proprietary extensions that modify and increase the size of request or response bodies. Modifying and increasing the size of the body in an Envoy's extension beyond the internal buffer size could lead to Envoy accessing deallocated memory and terminating abnormally.
CVE-2021-32780: An untrusted upstream service could cause Envoy to terminate abnormally by sending the GOAWAY frame followed by the SETTINGS frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0. (Not applicable to Istio on GKE)
CVE-2021-32778: An Envoy client opening and then resetting a large number of HTTP/2 requests could lead to excessive CPU consumption. (Not applicable to Istio on GKE)
CVE-2021-32777: HTTP requests with multiple value headers could do an incomplete authorization policy check when the ext_authz extension is used.

For instructions and more details, see the following security bulletins:

High

GCP-2021-015

Published: 2021-07-13
Updated: 2021-07-15

Description

Description Severity Notes

Description	Severity	Notes
A new security vulnerability, CVE-2021-22555, has been discovered where a malicious actor with `CAP_NET_ADMIN` privileges can potentially cause a container breakout to root on the host. This vulnerability affects all GKE clusters and Anthos clusters on VMware running Linux version 2.6.19 or later. For instructions and more details, see the following security bulletins: GKE security bulletin. Anthos clusters on VMware security bulletin.	High	CVE-2021-22555

A new security vulnerability, CVE-2021-22555, has been discovered where a malicious actor with CAP_NET_ADMIN privileges can potentially cause a container breakout to root on the host. This vulnerability affects all GKE clusters and Anthos clusters on VMware running Linux version 2.6.19 or later.

For instructions and more details, see the following security bulletins:

High

CVE-2021-22555

GCP-2021-014

Published: 2021-07-05

Description

Description	Severity	Notes
Microsoft published a security bulletin on a Remote code execution (RCE) vulnerability, CVE-2021-34527, that affects the print spooler in Windows servers. The CERT Coordination Center (CERT/CC) published an update note on a related vulnerability, dubbed "PrintNightmare" that also affects Windows print spoolers - PrintNightmare, Critical Windows Print Spooler Vulnerability For instructions and more details, see the GKE security bulletin.	High	CVE-2021-34527

Severity

Notes

Microsoft published a security bulletin on a Remote code execution (RCE) vulnerability, CVE-2021-34527, that affects the print spooler in Windows servers. The CERT Coordination Center (CERT/CC) published an update note on a related vulnerability, dubbed "PrintNightmare" that also affects Windows print spoolers - PrintNightmare, Critical Windows Print Spooler Vulnerability

For instructions and more details, see the GKE security bulletin.

High

CVE-2021-34527

GCP-2021-012

Published: 2021-06-24
Updated: 2021-07-09

Description

Description	Severity	Notes
The Istio project recently announced a security vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces. For product-specific instructions and more details, see: Anthos Service Mesh security bulletin. Anthos security bulletin GCP-2021-012 for information specific to Google Kubernetes Engine, Anthos on bare metal, and Anthos clusters on VMware.	High	CVE-2021-34824

Severity

Notes

The Istio project recently announced a security vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.

For product-specific instructions and more details, see:

Anthos Service Mesh security bulletin.
Anthos security bulletin GCP-2021-012 for information specific to Google Kubernetes Engine, Anthos on bare metal, and Anthos clusters on VMware.

High

CVE-2021-34824

GCP-2021-011

Published: 2021-06-04
Updated: 2021-10-19

Description

Description Severity Notes

Description	Severity	Notes
2021-10-19 update: For instructions and more details, see the following security bulletins: Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on bare metal security bulletin The security community recently disclosed a new security vulnerability (CVE-2021-30465) found in `runc` that has the potential to allow full access to a node filesystem. For GKE, because exploiting this vulnerability requires the ability to create pods, we have rated the severity of this vulnerability at MEDIUM. For instructions and more details, see the GKE security bulletin.	Medium	CVE-2021-30465

2021-10-19 update:

For instructions and more details, see the following security bulletins:

The security community recently disclosed a new security vulnerability (CVE-2021-30465) found in runc that has the potential to allow full access to a node filesystem.

For GKE, because exploiting this vulnerability requires the ability to create pods, we have rated the severity of this vulnerability at MEDIUM.

For instructions and more details, see the GKE security bulletin.

Medium

CVE-2021-30465

GCP-2021-010

Published: 2021-05-25

Description

Description	Severity	Notes
Per VMware security advisory VMSA-2021-0010, remote code execution and authentication bypass vulnerabilities in vSphere Client (HTML5) were privately reported to VMware. VMware has made updates available to remediate these vulnerabilities in affected VMware products. We have applied the patches provided by VMware for the vSphere stack per the VMware security advisory. This update addresses security vulnerabilities described in CVE-2021-21985 and CVE-2021-21986. The image versions running in your VMware Engine private cloud do not reflect any change at this time to indicate the patches applied. Please rest assured that appropriate patches have been installed and your environment is secured from these vulnerabilities. VMware Engine impact Based on our investigations, no customers were found to be impacted. What should I do? Because VMware Engine clusters are not affected by this vulnerability, no further action is required.	Critical	VMSA-2021-0010 CVE-2021-21985 CVE-2021-21986

Severity

Notes

Per VMware security advisory VMSA-2021-0010, remote code execution and authentication bypass vulnerabilities in vSphere Client (HTML5) were privately reported to VMware. VMware has made updates available to remediate these vulnerabilities in affected VMware products.

We have applied the patches provided by VMware for the vSphere stack per the VMware security advisory. This update addresses security vulnerabilities described in CVE-2021-21985 and CVE-2021-21986. The image versions running in your VMware Engine private cloud do not reflect any change at this time to indicate the patches applied. Please rest assured that appropriate patches have been installed and your environment is secured from these vulnerabilities.

VMware Engine impact

Based on our investigations, no customers were found to be impacted.

What should I do?

Because VMware Engine clusters are not affected by this vulnerability, no further action is required.

Critical

GCP-2021-008

Published: 2021-05-17

Description

Description Severity Notes

Description	Severity	Notes
Istio contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with `AUTO_PASSTHROUGH` routing configuration. For instructions and more details, see the Anthos Service Mesh security bulletin.	High	CVE-2021-31921

Istio contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.

For instructions and more details, see the Anthos Service Mesh security bulletin.

High

CVE-2021-31921

GCP-2021-007

Published: 2021-05-17

Description

Description Severity Notes

Description	Severity	Notes
Istio contains a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (`%2F` or `%5C`) could potentially bypass an Istio authorization policy when path based authorization rules are used. For instructions and more details, see the Anthos Service Mesh security bulletin.	High	CVE-2021-31920

Istio contains a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.

For instructions and more details, see the Anthos Service Mesh security bulletin.

High

CVE-2021-31920

GCP-2021-006

Published: 2021-05-11

Description

Description	Severity	Notes
The Istio project recently disclosed a new security vulnerability (CVE-2021-31920) affecting Istio. Istio contains a remotely-exploitable vulnerability where an HTTP request with multiple slashes or escaped slash characters can bypass Istio authorization policy when path based authorization rules are used. For instructions and more details, see the: GKE security bulletin	High	CVE-2021-31920

Severity

Notes

The Istio project recently disclosed a new security vulnerability (CVE-2021-31920) affecting Istio.

Istio contains a remotely-exploitable vulnerability where an HTTP request with multiple slashes or escaped slash characters can bypass Istio authorization policy when path based authorization rules are used.

For instructions and more details, see the:

GKE security bulletin

High

CVE-2021-31920

GCP-2021-005

Published: 2021-05-11

Description

Description Severity Notes

Description	Severity	Notes
A reported vulnerability has shown that Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in Envoy versions 1.18.2 and earlier. In addition, some Envoy-based products do not enable path normalization controls. A remote attacker may craft a path with escaped slashes (for example, `/something%2F..%2Fadmin,`), to bypass access control (for example, a block on `/admin`). A backend server could then decode slash sequences and normalize the path to provide an attacker access beyond the scope provided for by the access control policy. What should I do? If backend servers treat `/` and `%2F` or `\` and `%5C` interchangeably and a URL path based matching is configured, we recommend reconfiguring the backend server to not treat `\` and `%2F` or `\` and `%5C` interchangeably, if feasible. What behavioral changes were introduced? Envoy's normalize_path and merge adjacent slashes options were enabled to address other common path confusion vulnerabilities in Envoy-based products.	High	CVE-2021-29492

A reported vulnerability has shown that Envoy does not decode escaped slash sequences %2F and %5C in HTTP URL paths in Envoy versions 1.18.2 and earlier. In addition, some Envoy-based products do not enable path normalization controls. A remote attacker may craft a path with escaped slashes (for example, /something%2F..%2Fadmin,), to bypass access control (for example, a block on /admin). A backend server could then decode slash sequences and normalize the path to provide an attacker access beyond the scope provided for by the access control policy.

What should I do?

If backend servers treat / and %2F or \ and %5C interchangeably and a URL path based matching is configured, we recommend reconfiguring the backend server to not treat \ and %2F or \ and %5C interchangeably, if feasible.

What behavioral changes were introduced?

Envoy's normalize_path and merge adjacent slashes options were enabled to address other common path confusion vulnerabilities in Envoy-based products.

High

CVE-2021-29492

GCP-2021-004

Published: 2021-05-06

Description

Description	Severity	Notes
The Envoy and Istio projects recently announced several new security vulnerabilities (CVE-2021-28683, CVE-2021-28682 and CVE-2021-29258), that could allow an attacker to crash Envoy. Google Kubernetes Engine clusters do not run Istio by default and are not vulnerable. If Istio has been installed in a cluster and configured to expose services to the internet, those services may be vulnerable to denial of service. Anthos on bare metal and Anthos clusters on VMware use Envoy by default for Ingress, so Ingress services may be vulnerable to denial of service. For instructions and more details, see the following security bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos on bare metal security bulletin	Medium	CVE-2021-28683 CVE-2021-28682 CVE-2021-29258

Severity

Notes

The Envoy and Istio projects recently announced several new security vulnerabilities (CVE-2021-28683, CVE-2021-28682 and CVE-2021-29258), that could allow an attacker to crash Envoy.

Google Kubernetes Engine clusters do not run Istio by default and are not vulnerable. If Istio has been installed in a cluster and configured to expose services to the internet, those services may be vulnerable to denial of service.

Anthos on bare metal and Anthos clusters on VMware use Envoy by default for Ingress, so Ingress services may be vulnerable to denial of service.

For instructions and more details, see the following security bulletins:

Medium

GCP-2021-003

Published: 2021-04-19

Description

Description Severity Notes

Description	Severity	Notes
The Kubernetes project recently announced a new security vulnerability, CVE-2021-25735, that could allow node updates to bypass a Validating Admission Webhook. In a scenario where an attacker has sufficient privileges and where a Validating Admission Webhook is implemented that uses old `Node` object properties (for example fields in `Node.NodeSpec`), the attacker could update properties of a node that could lead to a cluster compromise. None of the policies enforced by GKE and Kubernetes built-in admission controllers are affected, but we recommend customers check any additional admission webhooks they have installed. For instructions and more details, see the following security bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on bare metal security bulletin	Medium	CVE-2021-25735

The Kubernetes project recently announced a new security vulnerability, CVE-2021-25735, that could allow node updates to bypass a Validating Admission Webhook.

In a scenario where an attacker has sufficient privileges and where a Validating Admission Webhook is implemented that uses old Node object properties (for example fields in Node.NodeSpec), the attacker could update properties of a node that could lead to a cluster compromise. None of the policies enforced by GKE and Kubernetes built-in admission controllers are affected, but we recommend customers check any additional admission webhooks they have installed.

For instructions and more details, see the following security bulletins:

Medium

CVE-2021-25735

GCP-2021-002

Published: 2021-03-05

Description

Description	Severity	Notes
Per VMware security advisory VMSA-2021-0002, VMware received reports of multiple vulnerabilities in VMware ESXi and vSphere Client (HTML5). VMware has made updates available to remediate these vulnerabilities in affected VMware products. We have applied the officially documented workarounds for the vSphere stack per the VMware security advisory. This update addresses security vulnerabilities described in CVE-2021-21972, CVE-2021-21973, and CVE-2021-21974. VMware Engine impact Based on our investigations, no customers were found to be impacted. What should I do? Because VMware Engine clusters are not affected by this vulnerability, no further action is required.	Critical	VMSA-2021-0002 CVE-2021-21972 CVE-2021-21973 CVE-2021-21974

Severity

Notes

Per VMware security advisory VMSA-2021-0002, VMware received reports of multiple vulnerabilities in VMware ESXi and vSphere Client (HTML5). VMware has made updates available to remediate these vulnerabilities in affected VMware products.

We have applied the officially documented workarounds for the vSphere stack per the VMware security advisory. This update addresses security vulnerabilities described in CVE-2021-21972, CVE-2021-21973, and CVE-2021-21974.

VMware Engine impact

Based on our investigations, no customers were found to be impacted.

What should I do?

Because VMware Engine clusters are not affected by this vulnerability, no further action is required.

Critical

GCP-2021-001

Published: 2021-01-28

Description

Description Severity Notes

Description	Severity	Notes
A vulnerability was recently discovered in the Linux utility `sudo`, described in CVE-2021-3156, that may allow an attacker with unprivileged local shell access on a system with `sudo` installed to escalate their privileges to root on the system. The underlying infrastructure that runs Compute Engine is not impacted by this vulnerability. All Google Kubernetes Engine (GKE), Anthos clusters on VMware, Anthos clusters on AWS, and Anthos on bare metal clusters are not affected by this vulnerability. For instructions and more details, see the following security bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on bare metal security bulletin Compute Engine security bulletin	None	CVE-2021-3156

A vulnerability was recently discovered in the Linux utility sudo, described in CVE-2021-3156, that may allow an attacker with unprivileged local shell access on a system with sudo installed to escalate their privileges to root on the system.

The underlying infrastructure that runs Compute Engine is not impacted by this vulnerability.

All Google Kubernetes Engine (GKE), Anthos clusters on VMware, Anthos clusters on AWS, and Anthos on bare metal clusters are not affected by this vulnerability.

For instructions and more details, see the following security bulletins:

None

CVE-2021-3156

GCP-2020-015

Published: 2020-12-07
Updated: 2020-12-22

Description

Description Severity Notes

Description	Severity	Notes
Updated: 2021-12-22 The command for GKE in the following section should use `gcloud beta` instead of the `gcloud` command. gcloud container clusters update –no-enable-service-externalips Updated: 2021-12-15 For GKE, the following mitigation is now available: Starting in GKE version 1.21, services with ExternalIPs are blocked by a `DenyServiceExternalIPs` admission controller that is enabled by default for new clusters. Customers who upgrade to GKE version 1.21 can block services with ExternalIPs using the following command: gcloud container clusters update –no-enable-service-externalips For more information, see Hardening your cluster's security. The Kubernetes project recently discovered a new security vulnerability, CVE-2020-8554, that might allow an attacker who has obtained permissions to create a Kubernetes Service of type LoadBalancer or ClusterIP to intercept network traffic originating from other Pods in the cluster. This vulnerability by itself does not give an attacker permissions to create a Kubernetes Service. All Google Kubernetes Engine (GKE), Anthos clusters on VMware, and Anthos clusters on AWS clusters are affected by this vulnerability. What should I do? For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin	Medium	CVE-2020-8554

Updated: 2021-12-22 The command for GKE in the following section should use gcloud beta instead of the gcloud command.

gcloud container clusters update –no-enable-service-externalips

Updated: 2021-12-15 For GKE, the following mitigation is now available:

Starting in GKE version 1.21, services with ExternalIPs are blocked by a DenyServiceExternalIPs admission controller that is enabled by default for new clusters.
Customers who upgrade to GKE version 1.21 can block services with ExternalIPs using the following command:
```
gcloud container clusters update –no-enable-service-externalips
```

For more information, see Hardening your cluster's security.

The Kubernetes project recently discovered a new security vulnerability, CVE-2020-8554, that might allow an attacker who has obtained permissions to create a Kubernetes Service of type LoadBalancer or ClusterIP to intercept network traffic originating from other Pods in the cluster. This vulnerability by itself does not give an attacker permissions to create a Kubernetes Service.

All Google Kubernetes Engine (GKE), Anthos clusters on VMware, and Anthos clusters on AWS clusters are affected by this vulnerability.

What should I do?

For instructions and more details, see the:

Medium

CVE-2020-8554

GCP-2020-014

Published: 2020-10-20
Updated: 2020-10-20

Description

Description	Severity	Notes
The Kubernetes project recently discovered several issues that allow for the exposure of secret data when verbose logging options are enabled. The issues are: CVE-2020-8563: Secret leaks in logs for vSphere Provider kube-controller-manager CVE-2020-8564: Docker config secrets leaked when file is malformed and loglevel >= 4 CVE-2020-8565: Incomplete fix for CVE-2019-11250 in Kubernetes allows for token leak in logs when logLevel >= 9. Discovered by GKE Security. CVE-2020-8566: Ceph RBD adminSecrets exposed in logs when loglevel >= 4 What should I do? No further action is required due to the default verbosity logging levels of GKE.	None	CVE-2020-8563 CVE-2020-8564 CVE-2020-8565 CVE-2020-8566

Severity

Notes

The Kubernetes project recently discovered several issues that allow for the exposure of secret data when verbose logging options are enabled. The issues are:

CVE-2020-8563: Secret leaks in logs for vSphere Provider kube-controller-manager
CVE-2020-8564: Docker config secrets leaked when file is malformed and loglevel >= 4
CVE-2020-8565: Incomplete fix for CVE-2019-11250 in Kubernetes allows for token leak in logs when logLevel >= 9. Discovered by GKE Security.
CVE-2020-8566: Ceph RBD adminSecrets exposed in logs when loglevel >= 4

What should I do?

No further action is required due to the default verbosity logging levels of GKE.

None

Google Cloud impact

Per-product details are listed below.

Product	Impact
Google Kubernetes Engine (GKE)	Google Kubernetes Engine (GKE) is not affected.
GKE On-Prem	GKE On-Prem is not affected.
GKE on AWS	GKE on AWS is not affected.

GCP-2020-013

Published: 2020-09-29

Description

Microsoft has disclosed the following vulnerability:

Vulnerability	Severity	CVE
CVE-2020-1472 — A vulnerability in Windows Server allows attackers to use Netlogon Remote Protocol to run a specially-crafted application on a device on the network.	NVD Base Score: 10 (Critical)	CVE-2020-1472

For more information, see the Microsoft disclosure.

Google Cloud impact

The infrastructure hosting the Google Cloud and Google products is not impacted by this vulnerability. Additional per-product details are listed below.

Product	Impact
Compute Engine	CVE-2020-1472 For most customers, no further action is required. Customers using Compute Engine virtual machines running Windows Server should ensure their instances have been updated with the latest Windows patch or use Windows Server images published after 08-17-2020 (v20200813 or higher).
Google Kubernetes Engine	CVE-2020-1472 For most customers, no further action is required. Any customers hosting domain controllers in their GKE Windows Server nodes should ensure both the nodes and the containerized workloads that run on those nodes have the latest Windows node image when it is available. A new node image version will be announced in the GKE release notes in October.
Managed Service for Microsoft Active Directory	CVE-2020-1472 For most customers, no further action is required. The August patch released by Microsoft that includes fixes to the NetLogon protocol has been applied to all Managed Microsoft AD domain controllers. This patch delivers functionality to protect against potential exploitation. The timely application of patches is one of the key advantages of using the Managed Service for Microsoft Active Directory. Any customers manually running Microsoft Active Directory (and not utilizing Google Cloud’s managed service) should ensure their instances have the latest Windows patch or use Windows Server images.
Google Workspace	No customer action is required. This service is not impacted by this vulnerability.
App Engine standard environment	No customer action is required. This service is not impacted by this vulnerability.
App Engine flexible environment	No customer action is required. This service is not impacted by this vulnerability.
Cloud Run	No customer action is required. This service is not impacted by this vulnerability.
Cloud Functions	No customer action is required. This service is not impacted by this vulnerability.
Cloud Composer	No customer action is required. This service is not impacted by this vulnerability.
Dataflow	No customer action is required. This service is not impacted by this vulnerability.
Dataproc	No customer action is required. This service is not impacted by this vulnerability.
Cloud SQL	No customer action is required. This service is not impacted by this vulnerability.

GCP-2020-012

Published: 2020-09-14
Updated: 2020-09-17

Description

Description	Severity	Notes
A vulnerability was recently discovered in the Linux kernel, described in CVE-2020-14386, that may allow container escape to obtain root privileges on the host node. All GKE nodes are affected. Pods running in GKE Sandbox are not able to leverage this vulnerability. For instructions and more details, see the: GKE security bulletin. Anthos clusters on VMware security bulletin. Anthos clusters on AWS security bulletin. What vulnerability is addressed by this patch? The patch mitigates the following vulnerability: The vulnerability CVE-2020-14386, which allows containers with CAP_NET_RAW to write 1 to 10 bytes of kernel memory, and possibly escape the container and obtain root privileges on the host node. This is rated as a High severity vulnerability.	High	CVE-2020-14386

Severity

Notes

A vulnerability was recently discovered in the Linux kernel, described in CVE-2020-14386, that may allow container escape to obtain root privileges on the host node.

All GKE nodes are affected. Pods running in GKE Sandbox are not able to leverage this vulnerability.

For instructions and more details, see the:

What vulnerability is addressed by this patch?

The patch mitigates the following vulnerability:

The vulnerability CVE-2020-14386, which allows containers with CAP_NET_RAW
to write 1 to 10 bytes of kernel memory, and possibly escape the container and obtain root privileges on the host node. This is rated as a High severity vulnerability.

High

CVE-2020-14386

GCP-2020-011

Published: 2020-07-24

Description

Description	Severity	Notes
A networking vulnerability, CVE-2020-8558, was recently discovered in Kubernetes. Services sometimes communicate with other applications running inside the same Pod using the local loopback interface (127.0.0.1). This vulnerability allows an attacker with access to the cluster's network to send traffic to the loopback interface of adjacent Pods and nodes. Services that rely on the loopback interface not being accessible outside their Pod could be exploited. For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin	Low (GKE and Anthos clusters on AWS), Medium (Anthos clusters on VMware)	CVE-2020-8558

Severity

Notes

A networking vulnerability, CVE-2020-8558, was recently discovered in Kubernetes. Services sometimes communicate with other applications running inside the same Pod using the local loopback interface (127.0.0.1). This vulnerability allows an attacker with access to the cluster's network to send traffic to the loopback interface of adjacent Pods and nodes. Services that rely on the loopback interface not being accessible outside their Pod could be exploited.

For instructions and more details, see the:

Low (GKE and Anthos clusters on AWS),
Medium (Anthos clusters on VMware)

CVE-2020-8558

GCP-2020-010

Published: 2020-07-27

Description

Microsoft has disclosed the following vulnerability:

Vulnerability	Severity	CVE
CVE-2020-1350 — Windows Servers that serve in a DNS server capacity can be exploited to run untrusted code by the Local System Account.	NVD Base Score: 10.0 (Critical)	CVE-2020-1350

For more information, see the Microsoft disclosure.

Google Cloud impact

The infrastructure hosting the Google Cloud and Google products is not impacted by this vulnerability. Additional per-product details are listed below.

Product	Impact
Compute Engine	CVE-2020-1350 For most customers, no further action is required. Customers using Compute Engine virtual machines running Windows Server in a DNS server capacity should ensure their instances have the latest Windows patch or use Windows Server images provided since 07/14/2020.
Google Kubernetes Engine	CVE-2020-1350 For most customers, no further action is required. Customers using GKE with Windows Server node in a DNS server capacity must manually update the nodes and the containerized workloads that run on those nodes to a Windows server version containing the fix.
Managed Service for Microsoft Active Directory	CVE-2020-1350 For most customers, no further action is required. All Managed Microsoft AD domains have been automatically updated with the patched image. Any customers manually running Microsoft Active Directory (and not utilizing Managed Microsoft AD) should ensure their instances have the latest Windows patch or use Windows Server images provided since 07/14/2020.
Google Workspace	No customer action is required. This service is not impacted by this vulnerability.
App Engine standard environment	No customer action is required. This service is not impacted by this vulnerability.
App Engine flexible environment	No customer action is required. This service is not impacted by this vulnerability.
Cloud Run	No customer action is required. This service is not impacted by this vulnerability.
Cloud Functions	No customer action is required. This service is not impacted by this vulnerability.
Cloud Composer	No customer action is required. This service is not impacted by this vulnerability.
Dataflow	No customer action is required. This service is not impacted by this vulnerability.
Dataproc	No customer action is required. This service is not impacted by this vulnerability.
Cloud SQL	No customer action is required. This service is not impacted by this vulnerability.

GCP-2020-009

Published: 2020-07-15

Description

Description	Severity	Notes
A privilege escalation vulnerability, CVE-2020-8559, was recently discovered in Kubernetes. This vulnerability allows an attacker that has already compromised a node to execute a command in any Pod in the cluster. The attacker can thereby use the already compromised node to compromise other nodes and potentially read information, or cause destructive actions. Note that for an attacker to exploit this vulnerability, a node in your cluster must have already been compromised. This vulnerability, by itself, will not compromise any nodes in your cluster. For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin	Medium	CVE-2020-8559

Severity

Notes

A privilege escalation vulnerability, CVE-2020-8559, was recently discovered in Kubernetes. This vulnerability allows an attacker that has already compromised a node to execute a command in any Pod in the cluster. The attacker can thereby use the already compromised node to compromise other nodes and potentially read information, or cause destructive actions.

Note that for an attacker to exploit this vulnerability, a node in your cluster must have already been compromised. This vulnerability, by itself, will not compromise any nodes in your cluster.

For instructions and more details, see the:

Medium

CVE-2020-8559

GCP-2020-008

Published: 2020-06-19

Description

Description	Severity	Notes
Description VMs that have OS Login enabled might be susceptible to privilege escalation vulnerabilities. These vulnerabilities gives users that are granted OS Login permissions (but not given admin access) the ability to escalate to root access in the VM. For instructions and more details, see the Compute Engine security bulletin.	High	CVE-2020-8903 CVE-2020-8907 CVE-2020-8933

Severity

Notes

Description

VMs that have OS Login enabled might be susceptible to privilege escalation vulnerabilities. These vulnerabilities gives users that are granted OS Login permissions (but not given admin access) the ability to escalate to root access in the VM.

For instructions and more details, see the Compute Engine security bulletin.

High

GCP-2020-007

Published: 2020-06-01

Description

Description	Severity	Notes
Server Side Request Forgery (SSRF) vulnerability, CVE-2020-8555, was recently discovered in Kubernetes, allowing certain authorized users to leak up to 500 bytes of sensitive information from the control plane host network. The Google Kubernetes Engine (GKE) control plane uses controllers from Kubernetes and is thus affected by this vulnerability. We recommend that you upgrade the control plane to the latest patch version. A node upgrade is not required. For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin	Medium	CVE-2020-8555

Severity

Notes

Server Side Request Forgery (SSRF) vulnerability, CVE-2020-8555, was recently discovered in Kubernetes, allowing certain authorized users to leak up to 500 bytes of sensitive information from the control plane host network. The Google Kubernetes Engine (GKE) control plane uses controllers from Kubernetes and is thus affected by this vulnerability. We recommend that you upgrade the control plane to the latest patch version. A node upgrade is not required.

For instructions and more details, see the:

Medium

CVE-2020-8555

GCP-2020-006

Published: 2020-06-01

Description

Description	Severity	Notes
Kubernetes has disclosed a vulnerability that allows a privileged container to redirect node traffic to another container. Mutual TLS/SSH traffic, such as between the kubelet and API server or traffic from applications using mTLS cannot be read or modified by this attack. All Google Kubernetes Engine (GKE) nodes are affected by this vulnerability, and we recommend that you upgrade to the latest patch version. For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin	Medium	Kubernetes issue 91507

Severity

Notes

Kubernetes has disclosed a vulnerability that allows a privileged container to redirect node traffic to another container. Mutual TLS/SSH traffic, such as between the kubelet and API server or traffic from applications using mTLS cannot be read or modified by this attack. All Google Kubernetes Engine (GKE) nodes are affected by this vulnerability, and we recommend that you upgrade to the latest patch version.

For instructions and more details, see the:

Medium

Kubernetes issue 91507

GCP-2020-005

Published: 2020-05-07

Description

Vulnerability	Severity	CVE
A vulnerability was recently discovered in the Linux kernel, described in CVE-2020-8835, allowing container escape to obtain root privileges on the host node. Google Kubernetes Engine (GKE) Ubuntu nodes running GKE 1.16 or 1.17 are affected by this vulnerability, and we recommend that you upgrade to the latest patch version as soon as possible. Please see the GKE security bulletin for instructions and more details.	High	CVE-2020-8835

Vulnerability

Severity

CVE

A vulnerability was recently discovered in the Linux kernel, described in CVE-2020-8835, allowing container escape to obtain root privileges on the host node.

Google Kubernetes Engine (GKE) Ubuntu nodes running GKE 1.16 or 1.17 are affected by this vulnerability, and we recommend that you upgrade to the latest patch version as soon as possible.

Please see the GKE security bulletin for instructions and more details.

High

CVE-2020-8835

GCP-2020-004

Published: 2020-03-31
Updated: 2020-03-31

Description

Kubernetes has disclosed the following vulnerabulities:

Vulnerability	Severity	CVE
CVE-2019-11254 — This is a Denial of Service (DoS) vulnerability that impacts the API server.	Medium	CVE-2019-11254

See the Anthos clusters on VMware security bulletin for instructions and more details.

GCP-2020-003

Published: 2020-03-31
Updated: 2020-03-31

Description

Kubernetes has disclosed the following vulnerabulities:

Vulnerability	Severity	CVE
CVE-2019-11254 — This is a Denial of Service (DoS) vulnerability that impacts the API server.	Medium	CVE-2019-11254

See the GKE security bulletin for instructions and more details.

GCP-2020-002

Published: 2020-03-23
Updated: 2020-03-23

Description

Kubernetes has disclosed the following vulnerabulities:

Vulnerability	Severity	CVE
CVE-2020-8551 — This is a Denial of Service (DoS) vulnerability that impacts the kubelet.	Medium	CVE-2020-8551
CVE-2020-8552 — This is a Denial of Service (DoS) vulnerability that impacts the API server.	Medium	CVE-2020-8552

See the GKE security bulletin for instructions and more details.

GCP-2020-001

Published: 2020-01-21
Updated: 2020-01-21

Description

Microsoft has disclosed the following vulnerability:

Vulnerability	Severity	CVE
CVE-2020-0601 — This vulnerability is also known as the Windows Crypto API Spoofing Vulnerability. It could be exploited to make malicious executables appear trusted or allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.	NVD Base Score: 8.1 (High)	CVE-2020-0601

For more information, see the Microsoft disclosure.

Google Cloud impact

The infrastructure hosting the Google Cloud and Google products is not impacted by this vulnerability. Additional per-product details are listed below.

Product	Impact
Compute Engine	CVE-2020-0601 For most customers, no further action is required. Customers using Compute Engine virtual machines running Windows Server should ensure their instances have the latest Windows patch or use Windows Server images provided since 1/15/2020. Please see the Compute Engine security bulletin for more details.
Google Kubernetes Engine	CVE-2020-0601 For most customers, no further action is required. Customers using GKE with Windows Server nodes, both the nodes and the containerized workloads that run on those nodes must be updated to patched versions to mitigate this vulnerability. Please see the GKE security bulletin for instructions and more details.
Managed Service for Microsoft Active Directory	CVE-2020-0601 For most customers, no further action is required. All Managed Microsoft AD domains have been automatically updated with the patched image. Any customers manually running Microsoft Active Directory (and not utilizing Managed Microsoft AD) should ensure their instances have the latest Windows patch or use Windows Server images provided since 1/15/2020.
Google Workspace	No customer action is required. This service is not impacted by this vulnerability.
App Engine standard environment	No customer action is required. This service is not impacted by this vulnerability.
App Engine flexible environment	No customer action is required. This service is not impacted by this vulnerability.
Cloud Run	No customer action is required. This service is not impacted by this vulnerability.
Cloud Functions	No customer action is required. This service is not impacted by this vulnerability.
Cloud Composer	No customer action is required. This service is not impacted by this vulnerability.
Dataflow	No customer action is required. This service is not impacted by this vulnerability.
Dataproc	No customer action is required. This service is not impacted by this vulnerability.
Cloud SQL	No customer action is required. This service is not impacted by this vulnerability.

GCP-2019-001

Published: 2019-11-12
Updated: 2019-11-12

Description

Intel has disclosed the following vulnerabilities:

Vulnerability	Severity	CVE
CVE-2019-11135 — This vulnerability referred to as TSX Async Abort (TAA) can be used to exploit speculative execution within a TSX transaction. This vulnerability potentially allows data to be exposed via the same microarchitectural data structures exposed by Microarchitectural Data Sampling (MDS).	Medium	CVE-2019-11135
CVE-2018-12207 — This is a Denial of Service (DoS) vulnerability affecting virtual machine hosts (not guests). This issue is known as "Machine Check Error on Page Size Change."	Medium	CVE-2018-12207

For more information, see the Intel disclosures:

Google Cloud impact

The infrastructure hosting the Google Cloud and Google products is protected from these vulnerabilities. Additional per-product details are listed below.

Product	Impact
Compute Engine	CVE-2019-11135 For most customers, no additional action is required. N2, C2 or M2 customers running untrusted code in their own multi-tenant services within Compute Engine virtual machines should stop and start their VMs to ensure that they have the latest security mitigations. Note: For more details, see the Compute Engine security bulletin. CVE-2018-12207 For all customers, no additional action is required.
Google Kubernetes Engine	CVE-2019-11135 For most customers, no additional action is required. If you use node pools with N2, M2, or C2 nodes, and those nodes run untrusted code inside your own multi-tenant GKE clusters, then you should restart your nodes. If you want to restart all nodes in your node pool, upgrade the affected node pool. Note: You can specify the same GKE version for an upgrade to your node pool. For more details, see the GKE security bulletin. CVE-2018-12207 For all customers, no additional action is required.
App Engine standard environment	No additional action is required.
App Engine flexible environment	CVE-2019-11135 No additional action is required. Customers should review Intel best practices with respect to application-level sharing which may occur between hyperthreads within a Flex VM. CVE-2018-12207 No additional action is required.
Cloud Run	No additional action is required.
Cloud Functions	No additional action is required.
Cloud Composer	No additional action is required.
Dataflow	CVE-2019-11135 For most customers, no additional action is required. Dataflow customers who run multiple untrusted workloads on N2, C2, or M2 Compute Engine VMs managed by Dataflow and are concerned about intra-guest attacks should consider restarting any streaming pipelines that are currently running. Optionally, batch pipelines can be cancelled and re-run. No action is required for pipelines launched after today. CVE-2018-12207 For all customers, no additional action is required.
Dataproc	CVE-2019-11135 For most customers, no additional action is required. Cloud Dataproc customers who run multiple, untrusted workloads on the same Cloud Dataproc cluster running on Compute Engine N2, C2 or M2 VMs and are concerned about intra-guest attacks, should redeploy their clusters. CVE-2018-12207 For all customers, no additional action is required.
Cloud SQL	No additional action is required.