The following security bulletins are related to Google Cloud.
GCP-2021-002
Published: 2021-03-05
Description
Description | Severity | Notes |
---|---|---|
Per VMware security advisory VMSA-2021-0002, VMware received reports of multiple vulnerabilities in VMware ESXi and vSphere Client (HTML5). VMware has made updates available to remediate these vulnerabilities in affected VMware products. We have applied the officially documented workarounds for the vSphere stack per the VMware security advisory. This update addresses security vulnerabilities described in CVE-2021-21972, CVE-2021-21973, and CVE-2021-21974. VMware Engine impactBased on our investigations, no customers were found to be impacted. What should I do?Because VMware Engine clusters are not affected by this vulnerability, no further action is required. |
Critical |
GCP-2021-001
Published: 2021-01-28
Description
Description | Severity | Notes |
---|---|---|
A vulnerability was recently discovered in the Linux utility The underlying infrastructure that runs Compute Engine is not impacted by this vulnerability. All Google Kubernetes Engine (GKE), Anthos clusters on VMware, Anthos clusters on AWS, and Anthos on bare metal clusters are not affected by this vulnerability. For instructions and more details, see the following security bulletins: |
None | CVE-2021-3156 |
GCP-2020-015
Published: 2020-12-07
Description
Description | Severity | Notes |
---|---|---|
The Kubernetes project recently discovered a new security vulnerability, CVE-2020-8554, that might allow an attacker who has obtained permissions to create a Kubernetes Service of type LoadBalancer or ClusterIP to intercept network traffic originating from other Pods in the cluster. This vulnerability by itself does not give an attacker permissions to create a Kubernetes Service. All Google Kubernetes Engine (GKE), Anthos clusters on VMware, and Anthos clusters on AWS clusters are affected by this vulnerability. What should I do?For instructions and more details, see the: |
Medium |
CVE-2020-8554 |
GCP-2020-014
Published: 2020-10-20
Updated: 2020-10-20
Description
Description | Severity | Notes |
---|---|---|
The Kubernetes project recently discovered several issues that allow for the exposure of secret data when verbose logging options are enabled. The issues are:
What should I do?No further action is required due to the default verbosity logging levels of GKE. |
None |
Google Cloud impact
Per-product details are listed below.
Product |
Impact |
---|---|
Google Kubernetes Engine (GKE) is not affected. |
|
GKE On-Prem is not affected. |
|
GKE on AWS is not affected. |
GCP-2020-013
Published: 2020-09-29
Description
Microsoft has disclosed the following vulnerability:
Vulnerability |
Severity |
CVE |
---|---|---|
CVE-2020-1472 — A vulnerability in Windows Server allows attackers to use Netlogon Remote Protocol to run a specially-crafted application on a device on the network. |
NVD Base Score: 10 (Critical) |
For more information, see the Microsoft disclosure.
Google Cloud impact
The infrastructure hosting the Google Cloud and Google products is not impacted by this vulnerability. Additional per-product details are listed below.
Product |
Impact |
---|---|
Compute Engine |
CVE-2020-1472 |
Google Kubernetes Engine |
CVE-2020-1472 |
Managed Service for Microsoft Active Directory |
CVE-2020-1472 |
Google Workspace |
No customer action is required. This service is not impacted by this vulnerability. |
App Engine standard environment |
No customer action is required. This service is not impacted by this vulnerability. |
App Engine flexible environment |
No customer action is required. This service is not impacted by this vulnerability. |
Cloud Run |
No customer action is required. This service is not impacted by this vulnerability. |
Cloud Functions |
No customer action is required. This service is not impacted by this vulnerability. |
Cloud Composer |
No customer action is required. This service is not impacted by this vulnerability. |
Dataflow |
No customer action is required. This service is not impacted by this vulnerability. |
Dataproc |
No customer action is required. This service is not impacted by this vulnerability. |
Cloud SQL |
No customer action is required. This service is not impacted by this vulnerability. |
GCP-2020-012
Published: 2020-09-14
Updated: 2020-09-17
Description
Description | Severity | Notes |
---|---|---|
A vulnerability was recently discovered in the Linux kernel, described in CVE-2020-14386, that may allow container escape to obtain root privileges on the host node. All GKE nodes are affected. Pods running in GKE Sandbox are not able to leverage this vulnerability. For instructions and more details, see the:
What vulnerability is addressed by this patch? The patch mitigates the following vulnerability: The vulnerability CVE-2020-14386, which allows containers with CAP_NET_RAW to write 1 to 10 bytes of kernel memory, and possibly escape the container and obtain root privileges on the host node. This is rated as a High severity vulnerability. |
High |
GCP-2020-011
Published: 2020-07-24
Description
Description | Severity | Notes |
---|---|---|
A networking vulnerability, CVE-2020-8558, was recently discovered in Kubernetes. Services sometimes communicate with other applications running inside the same Pod using the local loopback interface (127.0.0.1). This vulnerability allows an attacker with access to the cluster's network to send traffic to the loopback interface of adjacent Pods and nodes. Services that rely on the loopback interface not being accessible outside their Pod could be exploited. For instructions and more details, see the: |
Low (GKE and Anthos clusters on AWS), |
GCP-2020-010
Published: 2020-07-27
Description
Microsoft has disclosed the following vulnerability:
Vulnerability |
Severity |
CVE |
---|---|---|
CVE-2020-1350 — Windows Servers that serve in a DNS server capacity can be exploited to run untrusted code by the Local System Account. |
NVD Base Score: 10.0 (Critical) |
For more information, see the Microsoft disclosure.
Google Cloud impact
The infrastructure hosting the Google Cloud and Google products is not impacted by this vulnerability. Additional per-product details are listed below.
Product |
Impact |
---|---|
Compute Engine |
CVE-2020-1350 |
Google Kubernetes Engine |
CVE-2020-1350 |
Managed Service for Microsoft Active Directory |
CVE-2020-1350 |
Google Workspace |
No customer action is required. This service is not impacted by this vulnerability. |
App Engine standard environment |
No customer action is required. This service is not impacted by this vulnerability. |
App Engine flexible environment |
No customer action is required. This service is not impacted by this vulnerability. |
Cloud Run |
No customer action is required. This service is not impacted by this vulnerability. |
Cloud Functions |
No customer action is required. This service is not impacted by this vulnerability. |
Cloud Composer |
No customer action is required. This service is not impacted by this vulnerability. |
Dataflow |
No customer action is required. This service is not impacted by this vulnerability. |
Dataproc |
No customer action is required. This service is not impacted by this vulnerability. |
Cloud SQL |
No customer action is required. This service is not impacted by this vulnerability. |
GCP-2020-009
Published: 2020-07-15
Description
Description | Severity | Notes |
---|---|---|
A privilege escalation vulnerability, CVE-2020-8559, was recently discovered in Kubernetes. This vulnerability allows an attacker that has already compromised a node to execute a command in any Pod in the cluster. The attacker can thereby use the already compromised node to compromise other nodes and potentially read information, or cause destructive actions. Note that for an attacker to exploit this vulnerability, a node in your cluster must have already been compromised. This vulnerability, by itself, will not compromise any nodes in your cluster. For instructions and more details, see the: |
Medium |
GCP-2020-008
Published: 2020-06-19
Description
Description | Severity | Notes |
---|---|---|
DescriptionVMs that have OS Login enabled might be susceptible to privilege escalation vulnerabilities. These vulnerabilities gives users that are granted OS Login permissions (but not given admin access) the ability to escalate to root access in the VM. For instructions and more details, see the Compute Engine security bulletin.
|
High |
GCP-2020-007
Published: 2020-06-01
Description
Description | Severity | Notes |
---|---|---|
Server Side Request Forgery (SSRF) vulnerability, CVE-2020-8555, was recently discovered in Kubernetes, allowing certain authorized users to leak up to 500 bytes of sensitive information from the control plane host network. The Google Kubernetes Engine (GKE) control plane uses controllers from Kubernetes and is thus affected by this vulnerability. We recommend that you upgrade the control plane to the latest patch version. A node upgrade is not required. For instructions and more details, see the: |
Medium |
GCP-2020-006
Published: 2020-06-01
Description
Description | Severity | Notes |
---|---|---|
Kubernetes has disclosed a vulnerability that allows a privileged container to redirect node traffic to another container. Mutual TLS/SSH traffic, such as between the kubelet and API server or traffic from applications using mTLS cannot be read or modified by this attack. All Google Kubernetes Engine (GKE) nodes are affected by this vulnerability, and we recommend that you upgrade to the latest patch version. For instructions and more details, see the: |
Medium |
GCP-2020-005
Published: 2020-05-07
Description
Vulnerability |
Severity |
CVE |
---|---|---|
A vulnerability was recently discovered in the Linux kernel, described in CVE-2020-8835, allowing container escape to obtain root privileges on the host node. Google Kubernetes Engine (GKE) Ubuntu nodes running GKE 1.16 or 1.17 are affected by this vulnerability, and we recommend that you upgrade to the latest patch version as soon as possible. Please see the GKE security bulletin for instructions and more details. |
High |
GCP-2020-004
Published: 2020-03-31
Updated: 2020-03-31
Description
Kubernetes has disclosed the following vulnerabulities:
Vulnerability |
Severity |
CVE |
---|---|---|
CVE-2019-11254 — This is a Denial of Service (DoS) vulnerability that impacts the API server. |
Medium |
See the GKE on-prem security bulletin for instructions and more details.
GCP-2020-003
Published: 2020-03-31
Updated: 2020-03-31
Description
Kubernetes has disclosed the following vulnerabilities:
Vulnerability |
Severity |
CVE |
---|---|---|
CVE-2019-11254 — This is a Denial of Service (DoS) vulnerability that impacts the API server. |
Medium |
See the GKE security bulletin for instructions and more details.
GCP-2020-002
Published: 2020-03-23
Updated: 2020-03-23
Description
Kubernetes has disclosed the following vulnerabilities:
Vulnerability |
Severity |
CVE |
---|---|---|
CVE-2020-8551 — This is a Denial of Service (DoS) vulnerability that impacts the kubelet. |
Medium |
|
CVE-2020-8552 — This is a Denial of Service (DoS) vulnerability that impacts the API server. |
Medium |
See the GKE security bulletin for instructions and more details.
GCP-2020-001
Published: 2020-01-21
Updated: 2020-01-21
Description
Microsoft has disclosed the following vulnerability:
Vulnerability |
Severity |
CVE |
---|---|---|
CVE-2020-0601 — This vulnerability is also known as the Windows Crypto API Spoofing Vulnerability. It could be exploited to make malicious executables appear trusted or allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. |
NVD Base Score: 8.1 (High) |
For more information, see the Microsoft disclosure.
Google Cloud impact
The infrastructure hosting the Google Cloud and Google products is not impacted by this vulnerability. Additional per-product details are listed below.
Product |
Impact |
---|---|
Compute Engine |
CVE-2020-0601 |
Google Kubernetes Engine |
CVE-2020-0601 |
Managed Service for Microsoft Active Directory |
CVE-2020-0601 |
Google Workspace |
No customer action is required. This service is not impacted by this vulnerability. |
App Engine standard environment |
No customer action is required. This service is not impacted by this vulnerability. |
App Engine flexible environment |
No customer action is required. This service is not impacted by this vulnerability. |
Cloud Run |
No customer action is required. This service is not impacted by this vulnerability. |
Cloud Functions |
No customer action is required. This service is not impacted by this vulnerability. |
Cloud Composer |
No customer action is required. This service is not impacted by this vulnerability. |
Dataflow |
No customer action is required. This service is not impacted by this vulnerability. |
Dataproc |
No customer action is required. This service is not impacted by this vulnerability. |
Cloud SQL |
No customer action is required. This service is not impacted by this vulnerability. |
GCP-2019-001
Published: 2019-11-12
Updated: 2019-11-12
Description
Intel has disclosed the following vulnerabilities:
Vulnerability |
Severity |
CVE |
---|---|---|
CVE-2019-11135 — This vulnerability referred to as TSX Async Abort (TAA) can be used to exploit speculative execution within a TSX transaction. This vulnerability potentially allows data to be exposed via the same microarchitectural data structures exposed by Microarchitectural Data Sampling (MDS). |
Medium |
|
CVE-2018-12207 — This is a Denial of Service (DoS) vulnerability affecting virtual machine hosts (not guests). This issue is known as "Machine Check Error on Page Size Change." |
Medium |
For more information, see the Intel disclosures:
Google Cloud impact
The infrastructure hosting the Google Cloud and Google products is protected from these vulnerabilities. Additional per-product details are listed below.
Product |
Impact |
---|---|
Compute Engine |
CVE-2019-11135 CVE-2018-12207 |
Google Kubernetes Engine |
CVE-2019-11135 CVE-2018-12207 |
App Engine standard environment |
No additional action is required. |
App Engine flexible environment |
CVE-2019-11135 CVE-2018-12207 |
Cloud Run |
No additional action is required. |
Cloud Functions |
No additional action is required. |
Cloud Composer |
No additional action is required. |
Dataflow |
CVE-2019-11135 CVE-2018-12207 |
Dataproc |
CVE-2019-11135 CVE-2018-12207 |
Cloud SQL |
No additional action is required. |