Google Cloud Platform Security Bulletins

The following security bulletins are related to Google Cloud.

GCP-2020-014

Description

Published: 2020-10-20
Updated: 2020-10-20

Description Severity Notes

The Kubernetes project recently discovered several issues that allow for the exposure of secret data when verbose logging options are enabled. The issues are:

  • CVE-2020-8563: Secret leaks in logs for vSphere Provider kube-controller-manager
  • CVE-2020-8564: Docker config secrets leaked when file is malformed and loglevel >= 4
  • CVE-2020-8565: Incomplete fix for CVE-2019-11250 in Kubernetes allows for token leak in logs when logLevel >= 9. Discovered by GKE Security.
  • CVE-2020-8566: Ceph RBD adminSecrets exposed in logs when loglevel >= 4

What should I do?

No further action is required due to the default verbosity logging levels of GKE.

None

Google Cloud impact

Per-product details are listed below.

Product

Impact

Google Kubernetes Engine (GKE)

Google Kubernetes Engine (GKE) is not affected.

GKE On-Prem

GKE On-Prem is not affected.

GKE on AWS

GKE on AWS is not affected.

GCP-2020-013

Published: 2020-09-29

Description

Microsoft has disclosed the following vulnerability:

Vulnerability

Severity

CVE

CVE-2020-1472 — A vulnerability in Windows Server allows attackers to use Netlogon Remote Protocol to run a specially-crafted application on a device on the network.

NVD Base Score: 10 (Critical)

CVE-2020-1472

For more information, see the Microsoft disclosure.

Google Cloud impact

The infrastructure hosting the Google Cloud and Google products is not impacted by this vulnerability. Additional per-product details are listed below.

Product

Impact

Compute Engine

CVE-2020-1472

For most customers, no further action is required.

Customers using Compute Engine virtual machines running Windows Server should ensure their instances have been updated with the latest Windows patch or use Windows Server images published after 08-17-2020 (v20200813 or higher).

Google Kubernetes Engine

CVE-2020-1472

For most customers, no further action is required.

Any customers hosting domain controllers in their GKE Windows Server nodes should ensure both the nodes and the containerized workloads that run on those nodes have the latest Windows node image when it is available. A new node image version will be announced in the GKE release notes in October.

Managed Service for Microsoft Active Directory

CVE-2020-1472

For most customers, no further action is required.

The August patch released by Microsoft that includes fixes to the NetLogon protocol has been applied to all Managed Microsoft AD domain controllers. This patch delivers functionality to protect against potential exploitation. The timely application of patches is one of the key advantages of using the Managed Service for Microsoft Active Directory. Any customers manually running Microsoft Active Directory (and not utilizing Google Cloud’s managed service) should ensure their instances have the latest Windows patch or use Windows Server images.

Google Workspace

No customer action is required.

This service is not impacted by this vulnerability.

App Engine standard environment

No customer action is required.

This service is not impacted by this vulnerability.

App Engine flexible environment

No customer action is required.

This service is not impacted by this vulnerability.

Cloud Run

No customer action is required.

This service is not impacted by this vulnerability.

Cloud Functions

No customer action is required.

This service is not impacted by this vulnerability.

Cloud Composer

No customer action is required.

This service is not impacted by this vulnerability.

Dataflow

No customer action is required.

This service is not impacted by this vulnerability.

Dataproc

No customer action is required.

This service is not impacted by this vulnerability.

Cloud SQL

No customer action is required.

This service is not impacted by this vulnerability.

GCP-2020-012

Published: 2020-09-14
Updated: 2020-09-17

Description Severity Notes

A vulnerability was recently discovered in the Linux kernel, described in CVE-2020-14386, that may allow container escape to obtain root privileges on the host node.

All GKE nodes are affected. Pods running in GKE Sandbox are not able to leverage this vulnerability.

For instructions and more details, see the:


What vulnerability is addressed by this patch?

The patch mitigates the following vulnerability:

The vulnerability CVE-2020-14386, which allows containers with CAP_NET_RAW
to write 1 to 10 bytes of kernel memory, and possibly escape the container and obtain root privileges on the host node. This is rated as a High severity vulnerability.

High

CVE-2020-14386

GCP-2020-011

Published: 2020-07-24

Description

Description Severity Notes

A networking vulnerability, CVE-2020-8558, was recently discovered in Kubernetes. Services sometimes communicate with other applications running inside the same Pod using the local loopback interface (127.0.0.1). This vulnerability allows an attacker with access to the cluster's network to send traffic to the loopback interface of adjacent Pods and nodes. Services that rely on the loopback interface not being accessible outside their Pod could be exploited.

For instructions and more details, see the:

Low (GKE and GKE on AWS),
Medium (GKE on-prem)

CVE-2020-8558

GCP-2020-010

Published: 2020-07-27

Description

Microsoft has disclosed the following vulnerability:

Vulnerability

Severity

CVE

CVE-2020-1350 — Windows Servers that serve in a DNS server capacity can be exploited to run untrusted code by the Local System Account.

NVD Base Score: 10.0 (Critical)

CVE-2020-1350

For more information, see the Microsoft disclosure.

Google Cloud impact

The infrastructure hosting the Google Cloud and Google products is not impacted by this vulnerability. Additional per-product details are listed below.

Product

Impact

Compute Engine

CVE-2020-1350

For most customers, no further action is required.

Customers using Compute Engine virtual machines running Windows Server in a DNS server capacity should ensure their instances have the latest Windows patch or use Windows Server images provided since 07/14/2020.

Google Kubernetes Engine

CVE-2020-1350

For most customers, no further action is required.

Customers using GKE with Windows Server node in a DNS server capacity must manually update the nodes and the containerized workloads that run on those nodes to a Windows server version containing the fix.

Managed Service for Microsoft Active Directory

CVE-2020-1350

For most customers, no further action is required.

All Managed Microsoft AD domains have been automatically updated with the patched image. Any customers manually running Microsoft Active Directory (and not utilizing Managed Microsoft AD) should ensure their instances have the latest Windows patch or use Windows Server images provided since 07/14/2020.

Google Workspace

No customer action is required.

This service is not impacted by this vulnerability.

App Engine standard environment

No customer action is required.

This service is not impacted by this vulnerability.

App Engine flexible environment

No customer action is required.

This service is not impacted by this vulnerability.

Cloud Run

No customer action is required.

This service is not impacted by this vulnerability.

Cloud Functions

No customer action is required.

This service is not impacted by this vulnerability.

Cloud Composer

No customer action is required.

This service is not impacted by this vulnerability.

Dataflow

No customer action is required.

This service is not impacted by this vulnerability.

Dataproc

No customer action is required.

This service is not impacted by this vulnerability.

Cloud SQL

No customer action is required.

This service is not impacted by this vulnerability.

GCP-2020-009

Published: 2020-07-15

Description

Description Severity Notes

A privilege escalation vulnerability, CVE-2020-8559, was recently discovered in Kubernetes. This vulnerability allows an attacker that has already compromised a node to execute a command in any Pod in the cluster. The attacker can thereby use the already compromised node to compromise other nodes and potentially read information, or cause destructive actions.

Note that for an attacker to exploit this vulnerability, a node in your cluster must have already been compromised. This vulnerability, by itself, will not compromise any nodes in your cluster.

For instructions and more details, see the:

Medium

CVE-2020-8559

GCP-2020-008

Published: 2020-06-19

Description

Description Severity Notes

Description

VMs that have OS Login enabled might be susceptible to privilege escalation vulnerabilities. These vulnerabilities gives users that are granted OS Login permissions (but not given admin access) the ability to escalate to root access in the VM.

For instructions and more details, see the Compute Engine security bulletin.

High

GCP-2020-007

Published: 2020-06-01

Description

Description Severity Notes

Server Side Request Forgery (SSRF) vulnerability, CVE-2020-8555, was recently discovered in Kubernetes, allowing certain authorized users to leak up to 500 bytes of sensitive information from the control plane host network. The Google Kubernetes Engine (GKE) control plane uses controllers from Kubernetes and is thus affected by this vulnerability. We recommend that you upgrade the control plane to the latest patch version. A node upgrade is not required.

For instructions and more details, see the:

Medium

CVE-2020-8555

GCP-2020-006

Published: 2020-06-01

Description

Description Severity Notes

Kubernetes has disclosed a vulnerability that allows a privileged container to redirect node traffic to another container. Mutual TLS/SSH traffic, such as between the kubelet and API server or traffic from applications using mTLS cannot be read or modified by this attack. All Google Kubernetes Engine (GKE) nodes are affected by this vulnerability, and we recommend that you upgrade to the latest patch version.

For instructions and more details, see the:

Medium

Kubernetes issue 91507

GCP-2020-005

Published:2020-05-07

Description

Vulnerability

Severity

CVE

A vulnerability was recently discovered in the Linux kernel, described in CVE-2020-8835, allowing container escape to obtain root privileges on the host node.

Google Kubernetes Engine (GKE) Ubuntu nodes running GKE 1.16 or 1.17 are affected by this vulnerability, and we recommend that you upgrade to the latest patch version as soon as possible.

Please see the GKE security bulletin for instructions and more details.

High

CVE-2020-8835

GCP-2020-004

Published:2020-03-31 | Last updated: 2020-03-31

Description

Kubernetes has disclosed the following vulnerabulities:

Vulnerability

Severity

CVE

CVE-2019-11254 — This is a Denial of Service (DoS) vulnerability that impacts the API server.

Medium

CVE-2019-11254

See the GKE on-prem security bulletin for instructions and more details.

GCP-2020-003

Published:2020-03-31 | Last updated: 2020-03-31

Description

Kubernetes has disclosed the following vulnerabulities:

Vulnerability

Severity

CVE

CVE-2019-11254 — This is a Denial of Service (DoS) vulnerability that impacts the API server.

Medium

CVE-2019-11254

See the GKE security bulletin for instructions and more details.

GCP-2020-002

Published:2020-03-23 | Last updated: 2020-03-23

Description

Kubernetes has disclosed the following vulnerabulities:

Vulnerability

Severity

CVE

CVE-2020-8551 — This is a Denial of Service (DoS) vulnerability that impacts the kubelet.

Medium

CVE-2020-8551

CVE-2020-8552 — This is a Denial of Service (DoS) vulnerability that impacts the API server.

Medium

CVE-2020-8552

See the GKE security bulletin for instructions and more details.

GCP-2020-001

Published: 2020-01-21 | Last updated: 2020-01-21

Description

Microsoft has disclosed the following vulnerability:

Vulnerability

Severity

CVE

CVE-2020-0601 — This vulnerability is also known as the Windows Crypto API Spoofing Vulnerability. It could be exploited to make malicious executables appear trusted or allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

NVD Base Score: 8.1 (High)

CVE-2020-0601

For more information, see the Microsoft disclosure.

Google Cloud impact

The infrastructure hosting the Google Cloud and Google products is not impacted by this vulnerability. Additional per-product details are listed below.

Product

Impact

Compute Engine

CVE-2020-0601

For most customers, no further action is required.

Customers using Compute Engine virtual machines running Windows Server should ensure their instances have the latest Windows patch or use Windows Server images provided since 1/15/2020. Please see the Compute Engine security bulletin for more details.

Google Kubernetes Engine

CVE-2020-0601

For most customers, no further action is required.

Customers using GKE with Windows Server nodes, both the nodes and the containerized workloads that run on those nodes must be updated to patched versions to mitigate this vulnerability. Please see the GKE security bulletin for instructions and more details.

Managed Service for Microsoft Active Directory

CVE-2020-0601

For most customers, no further action is required.

All Managed Microsoft AD domains have been automatically updated with the patched image. Any customers manually running Microsoft Active Directory (and not utilizing Managed Microsoft AD) should ensure their instances have the latest Windows patch or use Windows Server images provided since 1/15/2020.

Google Workspace

No customer action is required.

This service is not impacted by this vulnerability.

App Engine standard environment

No customer action is required.

This service is not impacted by this vulnerability.

App Engine flexible environment

No customer action is required.

This service is not impacted by this vulnerability.

Cloud Run

No customer action is required.

This service is not impacted by this vulnerability.

Cloud Functions

No customer action is required.

This service is not impacted by this vulnerability.

Cloud Composer

No customer action is required.

This service is not impacted by this vulnerability.

Dataflow

No customer action is required.

This service is not impacted by this vulnerability.

Dataproc

No customer action is required.

This service is not impacted by this vulnerability.

Cloud SQL

No customer action is required.

This service is not impacted by this vulnerability.

GCP-2019-001

Published: 2019-11-12 | Last updated: 2019-11-12

Description

Intel has disclosed the following vulnerabilities:

Vulnerability

Severity

CVE

CVE-2019-11135 — This vulnerability referred to as TSX Async Abort (TAA) can be used to exploit speculative execution within a TSX transaction. This vulnerability potentially allows data to be exposed via the same microarchitectural data structures exposed by Microarchitectural Data Sampling (MDS).

Medium

CVE-2019-11135

CVE-2018-12207 — This is a Denial of Service (DoS) vulnerability affecting virtual machine hosts (not guests). This issue is known as "Machine Check Error on Page Size Change."

Medium

CVE-2018-12207

For more information, see the Intel disclosures:

Google Cloud impact

The infrastructure hosting the Google Cloud and Google products is protected from these vulnerabilities. Additional per-product details are listed below.

Product

Impact

Compute Engine

CVE-2019-11135

For most customers, no additional action is required.

N2, C2 or M2 customers running untrusted code in their own multi-tenant services within Compute Engine virtual machines should stop and start their VMs to ensure that they have the latest security mitigations.

CVE-2018-12207

For all customers, no additional action is required.

Google Kubernetes Engine

CVE-2019-11135

For most customers, no additional action is required.

If you use node pools with N2, M2, or C2 nodes, and those nodes run untrusted code inside your own multi-tenant GKE clusters, then you should restart your nodes. If you want to restart all nodes in your node pool, upgrade the affected node pool.

CVE-2018-12207

For all customers, no additional action is required.

App Engine standard environment

No additional action is required.

App Engine flexible environment

CVE-2019-11135

No additional action is required.

Customers should review Intel best practices with respect to application-level sharing which may occur between hyperthreads within a Flex VM.

CVE-2018-12207

No additional action is required.

Cloud Run

No additional action is required.

Cloud Functions

No additional action is required.

Cloud Composer

No additional action is required.

Dataflow

CVE-2019-11135

For most customers, no additional action is required.

Dataflow customers who run multiple untrusted workloads on N2, C2, or M2 Compute Engine VMs managed by Dataflow and are concerned about intra-guest attacks should consider restarting any streaming pipelines that are currently running. Optionally, batch pipelines can be cancelled and re-run. No action is required for pipelines launched after today.

CVE-2018-12207

For all customers, no additional action is required.

Dataproc

CVE-2019-11135

For most customers, no additional action is required.

Cloud Dataproc customers who run multiple, untrusted workloads on the same Cloud Dataproc cluster running on Compute Engine N2, C2 or M2 VMs and are concerned about intra-guest attacks, should redeploy their clusters.

CVE-2018-12207

For all customers, no additional action is required.

Cloud SQL

No additional action is required.