Src |
Date (GMT) |
Titre |
Description |
Tags |
Stories |
Notes |
|
2023-06-20 15:06:21 |
GCP-2023-009 (lien direct) |
Publié: 2023-06-06 Description
Description
Gravité
notes
Une nouvelle vulnérabilité (CVE-2023-2878) a été découverte dans le pilote secrets-store-CSI où un acteur ayant accès aux journaux de conducteur pourrait observer les jetons de compte de service. Pour les instructions et plus de détails, consultez les bulletins suivants: Bulletin de sécurité GKE
grappes anthos sur le bulletin de sécurité VMware
grappes anthos sur le bulletin de sécurité AWS
anthos sur le bulletin de sécurité azur
anthos sur le bulletin de sécurité nus
Aucun
CVE-2023-2878
Published: 2023-06-06Description
Description
Severity
Notes
A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. For instructions and more details, see the following bulletins: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
None
CVE-2023-2878
|
Vulnerability
|
|
★★
|
|
2023-06-20 15:06:21 |
GCP-2023-015 (lien direct) |
Publié: 2023-06-20 Description Poll_refs sur chaque io_poll_wake puis déboucher à 0 0qui fera le fichier req-> deux fois et provoquera un problème de reflets de fichier struct.Les clusters GKE, y compris les grappes de pilote automatique, avec un système d'exploitation optimisé par le conteneur utilisant le noyau Linux version 5.15 sont affectés.Les grappes GKE utilisant des images Ubuntu ou l'utilisation de Gke Sandbox ne sont pas affectées. Pour les instructions et plus de détails, consultez les bulletins suivants: GKE Sécurité Bulletin
clusters anthos sur le bulletin de sécurité VMware
grappes anthos sur le bulletin de sécurité AWS
anthos sur le bulletin de sécurité azur
anthos sur le bulletin de sécurité en métal nu
moyen
cve-2023-0468
Published: 2023-06-20Description
Description
Severity
Notes
A new vulnerability, CVE-2023-0468, has been discovered in the Linux kernel that could allow an unprivileged user to escalate privileges to root when io_poll_get_ownership will keep increasing req->poll_refs on every io_poll_wake then overflow to 0 which will fput req->file twice and cause a struct file refcount issue. GKE clusters, including Autopilot clusters, with Container-Optimized OS using Linux Kernel version 5.15 are affected. GKE clusters using Ubuntu images or using GKE Sandbox are unaffected. For instructions and more details, see the following bulletins: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
Medium
CVE-CVE-2023-0468
|
|
|
★★
|
|
2023-06-15 19:06:42 |
GCP-2023-013 (lien direct) |
Publié: 2023-06-08 Description
Description
Gravité
notes
Lorsque vous activez l'API de build Cloud dans un projet, Cloud Build crée automatiquement un compte de service par défaut pour exécuter des builds en votre nom.Ce compte Cloud Build Service avait auparavant le Logging.privateLoGentries.List IAM Permission, qui a permis aux builds d'avoir accès à la liste des journaux privés par défaut.Cette autorisation a maintenant été révoquée à partir du compte Cloud Build Service pour adhérer au principe de sécurité du moindre privilège. Pour les instructions et plus de détails, consultez le Cloud Build Security Bulletin .
Low
Published: 2023-06-08Description
Description
Severity
Notes
When you enable the Cloud Build API in a project, Cloud Build automatically creates a default service account to execute builds on your behalf. This Cloud Build service account previously had the logging.privateLogEntries.list IAM permission, which allowed builds to have access to list private logs by default. This permission has now been revoked from the Cloud Build service account to adhere to the security principle of least privilege. For instructions and more details, see the Cloud Build security bulletin.
Low
|
Cloud
|
|
★★
|
|
2023-06-15 19:06:42 |
GCP-2023-014 (lien direct) |
Publié: 2023-06-15 Description |
|
Uber
|
★★
|
|
2023-06-07 21:21:27 |
GCP-2023-010 (lien direct) |
Publié: 2023-06-07 Description
Description
Gravité
notes
Google a identifié trois nouvelles vulnérabilités dans l'implémentation GRPC C ++.Ceux-ci seront publiés bientôt publiquement sous le nom de cve-2023-1428 , CVE-2023-32731 et CVE-2023-32732 . En avril, nous avons identifié deux vulnérabilités dans les versions de 1,53 et 1,54.L'un était une vulnérabilité du déni de service dans l'implémentation C ++ de GRPC \\ et l'autre était une vulnérabilité d'exfiltration de données distantes.Ceux-ci ont été fixés en 1,53.1, 1,54,2 et vers des versions ultérieures. Auparavant en mars, nos équipes internes ont découvert une vulnérabilité de déni de service dans la mise en œuvre du C ++ du GRPC \\ tout en effectuant une routine de routineactivités de fuzzing.Il a été trouvé dans la version GRPC 1.52, et a été fixé dans les versions 1.52.2 et 1,53. Que dois-je faire? Assurez-vous que vous utilisez les dernières versions des packages logiciels suivants: GRPC (C ++, Python, Ruby) version 1.52, 1.53 et 1.54 doivent passer à la mise à niveau suivanterejets de correctif;
1.52.2 1.53.1 1.54.2
GRPC (C ++, Python, Ruby) version 1.51 et antérieurs ne sont pas affectés, les utilisateurs avec ces versions ne peuvent donc prendre aucune action Quelles vulnérabilités sont traitées par ces correctifs? Ces correctifs atténuent les vulnérabilités suivantes: 1.53.1, 1.54.2 et les versions ultérieures s'adressent aux abordements.Suivant: La vulnérabilité du déni de service dans l'implémentation GRPC C ++.Des demandes spécialement conçues peuvent entraîner une résiliation de la connexion entre un proxy et un backend.Vulnérabilité d'exfiltration des données à distance: La désynchronisation dans le tableau HPACK en raison des limitations de la taille de l'en-tête peut entraîner des backends proxy qui fuient les données d'en-tête d'autres clients connectés à un proxy. 1.52.2, 1,53, et les versions ultérieures adressées à la question suivante.: Vulnérabilité du déni de service dans l'implémentation C ++ de GRPC \\.L'analyse de certaines demandes spécifiquement formées peut entraîner un accident impactant un serveur. Nous vous recommandons de passer aux dernières versions des packages logiciels suivants comme indiqué ci-dessus.
HIGH (CVE-2023-1428, CVE-2023-32731).Moyen (CVE-2023-32732)
CVE-2023-1428, CVE-2023-32731, cve-023-32732
Published: 2023-06-07Description
Description
Severity
Notes
Google identified three new vulnerabilities in the gRPC C ++ implementation. These will be published soon publicly as CVE-2023-1428, CVE-2023-32731 and |
Vulnerability
|
|
★★
|
|
2023-06-05 19:44:44 |
GCP-2023-008 (lien direct) |
Publié: 2023-06-05 Description
Description
Gravité
notes
Une nouvelle vulnérabilité (CVE-2023-1872) a été découverte dans le noyau Linux qui peut conduire à une escalade de privilège pour rooter sur le nœud. pour les instructions et plus de détails, voirLes bulletins suivants: Gke SecurityBulletin
grappes anthos sur VMware Security Bulletin
grappes anthos sur le bulletin de sécurité AWS
anthos sur le bulletin de sécurité azur
anthos sur le bulletin de sécurité nus
High
CVE-2023-1872
Published: 2023-06-05Description
Description
Severity
Notes
A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. For instructions and more details, see the following bulletins: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
High
CVE-2023-1872
|
Vulnerability
|
|
★★
|
|
2023-06-02 20:21:30 |
GCP-2023-007 (lien direct) |
Publié: 2023-06-02 Description |
Cloud
Patching
Vulnerability
|
|
★★★
|
|
2023-05-18 15:08:09 |
GCP-2023-005 (lien direct) |
Publié: 2023-05-18 Description |
|
|
★★★
|
|
2023-04-26 22:23:09 |
GCP-2023-004 (lien direct) |
Publié: 2023-04-26 Description |
Vulnerability
|
|
★★
|
|
2023-04-11 15:31:45 |
GCP-2023-003 (lien direct) |
Publié: 2023-04-11 Description |
|
|
★★★
|
|
2023-04-04 20:19:30 |
GCP-2023-002 (lien direct) |
Description |
Vulnerability
|
|
★★
|
|
2023-03-01 20:25:32 |
(Déjà vu) GCP-2023-001 (lien direct) |
Published: 2023-03-01Description
Description
Severity
Notes
A new vulnerability (CVE-2022-4696) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. For instructions and more details, see the following bulletins: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
High
CVE-2022-4696
|
Guideline
Vulnerability
|
|
★★★
|
|
2023-01-11 22:15:53 |
GCP-2022-026 (lien direct) |
Published: 2023-01-11Description
Description
Severity
Notes
Two new vulnerabilities (CVE-2022-3786 and CVE-2022-3602) have been discovered in OpenSSL v3.0.6 that can potentially cause a crash. For instructions and more details, see the following bulletins: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
Medium
CVE-2022-3786
CVE-2022-3602
|
|
|
★★★
|
|
2022-12-21 17:12:56 |
(Déjà vu) GCP-2022-012 (lien direct) |
Published: 2022-04-07 Updated: 2022-11-22Description
Description
Severity
Notes
2022-11-22 Update: For GKE clusters in both modes, Standard and Autopilot, workloads using GKE Sandbox are unaffected. A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate container privileges to root. This vulnerability affects the following products: GKE node pool versions 1.22 and later that use Container-Optimized OS images (Container-Optimized OS 93 and later)
Anthos clusters on VMware v1.10 for Container-Optimized OS images
Anthos clusters on AWS v1.21 and Anthos clusters on AWS (previous generation) v1.19, v1.20, v1.21, which use Ubuntu
Managed clusters of Anthos on Azure v1.21 which use Ubuntu For instructions and more details, see the following security bulletins: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
High
CVE-2022-0847
|
Vulnerability
|
Uber
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2022-013 (lien direct) |
Published: 2022-04-11 Updated: 2022-04-22Description
Description
Severity
Notes
A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host. This vulnerability may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy). For instructions and more details, see the following security bulletins: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
Medium
CVE-2022-23648
|
Vulnerability
|
Uber
|
★★★
|
|
2022-12-21 17:12:56 |
(Déjà vu) GCP-2022-018 (lien direct) |
Published: 2022-08-01Updated: 2022-09-14Description
Description
Severity
Notes
2022-09-14 Update: Added patch versions for Anthos clusters on VMware, Anthos clusters on AWS, and Anthos on Azure. A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node. For instructions and more details, see the following bulletins: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletinHigh
CVE-2022-2327
|
Guideline
Vulnerability
|
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2022-023 (lien direct) |
Published: 2022-11-04Description
Description
Severity
Notes
A security vulnerability, CVE-2022-39278, has been discovered in Istio, which is used in Anthos Service Mesh, that allows a malicious attacker to crash the control plane. For instructions and more details, see the following bulletins: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
High
CVE-2022-39278
|
|
|
★★★
|
|
2022-12-21 17:12:56 |
(Déjà vu) GCP-2022-025 (lien direct) |
Published: 2022-12-21Description
Description
Severity
Notes
A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code. For instructions and more details, see the following bulletins: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
High
CVE-2022-2602
|
Vulnerability
|
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2021-021 (lien direct) |
Published:Description
Description
Severity
Notes
A security vulnerability, CVE-2020-8561, has been discovered in Kubernetes where certain webhooks can be made to redirect kube-apiserver requests to private networks of that API server. For instructions and more details, see the: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on bare metal security bulletin
Medium
CVE-2020-8561
|
|
Uber
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2021-019 (lien direct) |
Published:Description
Description
Severity
Notes
There is a known issue where updating a BackendConfig resource using the v1beta1 API removes an active Google Cloud Armor security policy from its service. For instructions and more details, see the GKE security bulletin.
Low
|
|
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2022-001 (lien direct) |
Published:Description
Description
Severity
Notes
A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. What should I do? Ensure that you're using the latest versions of the following software packages: protobuf-java (3.16.1, 3.18.2, 3.19.2)
protobuf-kotlin (3.18.2, 3.19.2)
google-protobuf [JRuby gem] (3.19.2) Protobuf "javalite" users (typically Android) are not affected. What vulnerabilities are addressed by this patch? The patch mitigates the following vulnerability: An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated garbage collection pauses.
High
CVE-2021-22569
|
|
|
★★
|
|
2022-12-21 17:12:56 |
GCP-2022-002 (lien direct) |
Published:Updated:Description
Description
Severity
Notes
2022-02-25 Update: The GKE versions have been updated. For instructions and more details, see the: GKE security bulletin 2022-02-23 Update: The GKE and Anthos clusters on VMware versions have been updated. For instructions and more details, see the: GKE security bulletin
Anthos clusters on VMware security bulletin 2022-02-04 Update: The rollout start date for GKE patch versions was February 2. Note: Your clusters might not have these versions available immediately. Rollouts began on February 2 and take four or more business days to be completed across all Google Cloud zones. Three security vulnerabilities, CVE-2021-4154, CVE-2021-22600, and CVE-2022-0185, have been discovered in the Linux kernel, each of which can lead to either a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all node operating systems (COS and Ubuntu) on GKE, Anthos clusters on VMware, Anthos clusters on AWS (current and previous generation), and Anthos on Azure. Pods using GKE Sandbox are not vulnerable to these vulnerabilities. See the COS release notes for more details. For instructions and more details, see the: GKE security bulletin
Anthos clusters on VMware security bulletin
High
CVE-2021-4154
CVE-2021-22600
CVE-2022-0185
|
Guideline
|
Uber
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2022-005 (lien direct) |
Published:Updated: Description
Description
Severity
Notes
A security vulnerability, CVE-2021-43527, has been discovered in any binary that links to the vulnerable versions of libnss3 found in NSS (Network Security Services) versions prior to 3.73 or 3.68.1. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how NSS is used/configured. For instructions and more details, see the: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos on Azure security bulletin
Medium
CVE-2021-43527
|
|
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2022-007 (lien direct) |
Published:Description
Description
Severity
Notes
The following Envoy and Istio CVEs expose Anthos Service Mesh and Istio on GKE to remotely exploitable vulnerabilities: CVE-2022-23635: Istiod crashes upon receiving requests with a specially crafted authorization header.
CVE-2021-43824: Potential null pointer dereference when using JWT filter safe_regex match
CVE-2021-43825: Use-after-free when response filters increase response data, and increased data exceeds downstream buffer limits.
CVE-2021-43826: Use-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment.
CVE-2022-21654: Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed.
CVE-2022-21655: Incorrect handling of internal redirects to routes with a direct response entry.
CVE-2022-23606: Stack exhaustion when a cluster is deleted via Cluster Discovery Service. For instructions and more details, see the following security bulletins: Anthos Service Mesh security bulletin.
Istio on GKE security bulletin.
High
CVE-2022-23635
CVE-2021-43824
CVE-2021-43825
CVE-2021-43826
CVE-2022-21654
CVE-2022-21655
CVE-2022-23606
|
|
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2022-008 (lien direct) |
Published: 2022-02-23 Updated: 2022-04-28Description
Description
Severity
Notes
2022-04-28 Update: Added versions of Anthos clusters on VMware that fix these vulnerabilities. For details, see the Anthos clusters on VMware security bulletin. The Envoy project recently discovered a set of vulnerabilities. All issues listed below are fixed in Envoy release 1.21.1. CVE-2022-23606: When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was erroneously introduced in Envoy version 1.19 to the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections.
CVE-2022-21655: Envoy's internal redirect code assumes that a route entry exists. When an internal redirect is done to a route which has a direct response entry and no route entry, it results in dereferencing a null pointer and crashing.
CVE-2021-43826: When Envoy is configured to use tcp_proxy which uses upstream tunneling (over HTTP), and downstream TLS termination, Envoy will crash if the downstream client disconnects during the TLS handshake while the upstream HTTP stream is still being established. The downstream disconnect can be either client or server initiated. The client can disconnect for any reason. The server may disconnect if, for example, it has no TLS ciphers or TLS protocol versions compatible with the client. It may be possible to trigger this crash in other downstream configurations as well.
CVE-2021-43825: Sending a locally generated response must stop further processing of request or response data. Envoy tracks the amount of buffered request and response data and aborts the request if the amount of buffered data is over the limit by sending 413 or 500 responses. However when locally generated response is sent because of the internal buffer overflows while response is processed by the filter chain the operation may not be aborted correctly and result in accessing a freed memory block.
CVE-2021-43824: Envoy crashes when using the JWT filter with a "safe_regex" match rule and a specially crafted request like "CONNECT host:port HTTP/1.1". When reaching the JWT filter, a "safe_regex" rule should evaluate the URL path but there is none here, and Envoy crashes with segfaults.
CVE-2022-21654: Envoy would incorrectly allow TLS session resumption after mTLS validation settings had been reconfigured. If a client certificate was allowed with the old configuration but disallowed with the new configuration, the client could resume the previous TLS session even though the current configuration should disallow it. Changes to the following settings are affected: match_subject_alt_names
CRL changes
allow_expired_certificate
Trust_chain_verification
only_verify_leaf_cert_crl
CVE-2022-21657: Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS ser |
Guideline
|
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2022-014 (lien direct) |
Published: 2022-04-26 Updated: 2022-11-22Description
Description
Severity
Notes
2022-11-22 Update: GKE Autopilot clusters and workloads running in GKE Sandbox are unaffected. 2022-05-12 Update: The Anthos clusters on AWS and Anthos on Azure versions have been updated. For instructions and more details, see the:Anthos clusters on AWS security bulletin
Anthos on bare metal security bulletin
Two security vulnerabilities, CVE-2022-1055 and CVE-2022-27666 have been discovered in the Linux kernel. Each can lead to a local attacker being able to perform a container breakout, privilege escalation on the host, or both. These vulnerabilities affect all GKE node operating systems (Container-Optimized OS and Ubuntu). For instructions and more details, see the following security bulletins: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
High
CVE-2022-1055 CVE-2022-27666
|
Guideline
|
Uber
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2022-015 (lien direct) |
Published: 2022-06-09 Updated: 2022-06-10Description
Description
Severity
Notes
2022-06-10 Update: The Anthos Service Mesh versions have been updated. For instructions and more details, see the Anthos Service Mesh security bulletin. The following Envoy and Istio CVEs expose Anthos Service Mesh and Istio on GKE to remotely exploitable vulnerabilities: CVE-2022-31045: Istio data plane can potentially access memory unsafely when the Metadata Exchange and Stats extensions are enabled.
CVE-2022-29225: Data can exceed intermediate buffer limits if a malicious attacker passes a small highly compressed payload (zip bomb attack).
CVE-2021-29224: Potential null pointer dereference in GrpcHealthCheckerImpl.
CVE-2021-29226: OAuth filter allows trivial bypass.
CVE-2022-29228: OAuth filter can corrupt memory (earlier versions) or trigger an ASSERT() (later versions).
CVE-2022-29227: Internal redirects crash for requests with body or trailers. For instructions and more details, see the Anthos Service Mesh security bulletin.
Critical
CVE-2022-31045
CVE-2022-29225
CVE-2021-29224
CVE-2021-29226
CVE-2022-29228
CVE-2022-29227
|
|
|
★★★
|
|
2022-12-21 17:12:56 |
(Déjà vu) GCP-2022-016 (lien direct) |
Published: 2022-06-23 Updated: 2022-11-22Description
Description
Severity
Notes
2022-11-22 Update: Autopilot clusters are not affected by by CVE-2022-29581 but are vulnerable to CVE-2022-29582 and CVE-2022-1116. Three new memory corruption vulnerabilities (CVE-2022-29581, CVE-2022-29582, CVE-2022-1116) have been discovered in the Linux kernel. These vulnerabilities allow an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. All Linux clusters (Container-Optimized OS and Ubuntu) are affected. For instructions and more details, refer to the following bulletins: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
High
CVE-2022-29581
CVE-2022-29582
CVE-2022-1116
|
|
|
★★★
|
|
2022-12-21 17:12:56 |
(Déjà vu) GCP-2022-017 (lien direct) |
Published: 2022-06-29 Updated: 2022-11-22Description
Description
Severity
Notes
2022-11-22 Update: Workloads using GKE Sandbox are not affected by these vulnerabilities. 2022-07-21 Update: additional information on Anthos clusters on VMware. A new vulnerability (CVE-2022-1786) has been discovered in the Linux kernel versions 5.10 and 5.11. This vulnerability allows an unprivileged user with local access to the cluster to achieve a full container breakout to root on the node. Only clusters that run Container-Optimized OS are affected. GKE Ubuntu versions use either version 5.4 or 5.15 of the kernel and are not affected. For instructions and more details, see the: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
High
CVE-2022-1786
|
Vulnerability
|
Uber
|
★★★
|
|
2022-12-21 17:12:56 |
(Déjà vu) GCP-2022-021 (lien direct) |
Published: 2022-10-27Updated: 2022-12-15Description
Description
Severity
Notes
2022-12-15 Update: Updated information that version 1.21.14-gke.9400 of Google Kubernetes Engine is pending rollout and may be superseded by a higher version number. 2022-11-22 Update: Added patch versions for Anthos clusters on VMware, Anthos clusters on AWS, and Anthos on Azure. A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node. For instructions and more details, see the following bulletins: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
High
CVE-2022-3176
|
Guideline
Vulnerability
|
Uber
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2022-019 (lien direct) |
Published: 2022-09-22Description
Description
Severity
Notes
A message parsing and memory management vulnerability in ProtocolBuffer's C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message. This could lead to a denial of service (DoS) on services using the libraries. What should I do? Ensure that you're using the latest versions of the following software packages: protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6)
protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6) What vulnerabilities are addressed by this patch? The patch mitigates the following vulnerability: A specially constructed small message that causes the running service to allocate large amounts of RAM. The small size of the request means that it is easy to take advantage of the vulnerability and exhaust resources. C++ and Python systems that consume untrusted protobufs would be vulnerable to DoS attacks if they contain a MessageSet object in their RPC request.
Medium
CVE-2022-1941
|
Guideline
Vulnerability
|
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2021-020 (lien direct) |
Published:Description
Description
Severity
Notes
Certain Google Cloud load balancers routing to an Identity-Aware Proxy (IAP) enabled Backend Service could have been vulnerable to an untrusted party under limited conditions. This addresses an issue reported through our Vulnerability Reward Program. The conditions were that the servers:Were HTTP(S) load balancers andUsed a default backend or a backend that had a wildcard host mapping rule (that is, host="*") In addition, a user in your organization must have clicked a specifically-crafted link sent by an untrusted party.This issue has now been resolved. IAP has been updated to issue cookies only to authorized hosts as of September 17, 2021. A host is considered authorized if it matches at least one Subject Alternative Name (SAN) in one of the certificates installed on your load balancers.What to do Some of your users may experience an HTTP 401 Unauthorized response with an IAP error code 52 while trying to access apps or services. This error code means that the client sent a Host header which does not match any Subject Alternative Names associated with the load balancer's SSL certificate(s). The load balancer administrator needs to update the SSL certificate to ensure that the Subject Alternative Name (SAN) list contains all the hostnames through which users are accessing the IAP-protected apps or services. Learn more about IAP error codes.
High
|
Vulnerability
|
|
★★★
|
|
2022-12-21 17:12:56 |
(Déjà vu) GCP-2022-020 (lien direct) |
Published: 2022-10-05Updated: 2022-10-12Description
Description
Severity
Notes
The Istio control plane istiod is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For instructions and more details, see the Anthos Service Mesh security bulletin.
High
CVE-2022-39278
|
|
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2021-022 (lien direct) |
Published:Description
Description
Severity
Notes
A vulnerability has been discovered in the Anthos Identity Service (AIS) LDAP module of Anthos clusters on VMware versions 1.8 and 1.8.1 where a seed key used in generating keys is predictable. With this vulnerability, an authenticated user could add arbitrary claims and escalate privileges indefinitely. For instructions and more details, see the Anthos clusters on VMware security bulletin.
High
|
Vulnerability
|
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2022-006 (lien direct) |
Published:Updated: Description
Description
Severity
Notes
2022-05-16 Update: Added GKE version 1.19.16-gke.7800 or later to the list of versions that have code to fix this vulnerability. For details, see the GKE security bulletin. 2022-05-12 Update: The GKE, Anthos clusters on VMware, Anthos clusters on AWS, and Anthos on Azure versions have been updated. For instructions and more details, see the:GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin A security vulnerability, CVE-2022-0492, has been discovered in the Linux kernel's cgroup_release_agent_write function. The attack uses unprivileged user namespaces and under certain circumstances this vulnerability can be exploitable for container breakout.
Low
For instructions and more details, see the: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
|
Vulnerability
|
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2022-009 (lien direct) |
Published:Description
Description
Severity
Some unexpected paths to access the node VM on GKE Autopilot clusters could have been used to escalate privileges in the cluster. These issues have been fixed and no further action is required. The fixes address issues reported through our Vulnerability Reward Program. For instructions and more details, see the GKE security bulletin
Low
|
|
|
★★★
|
|
2022-12-21 17:12:56 |
(Déjà vu) GCP-2022-022 (lien direct) |
Published: 2022-10-28Updated: 2022-12-14Description
Description
Severity
Notes
2022-12-14 Update: Added patch versions for GKE and Anthos clusters on VMware. A new vulnerability, CVE-2022-20409, has been discovered in the Linux kernel that could allow an unprivileged user to escalate to system execution privilege. For instructions and more details, see the following bulletins: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
High
CVE-2022-20409
|
|
|
★★★
|
|
2022-12-21 17:12:56 |
(Déjà vu) GCP-2022-024 (lien direct) |
Published: 2022-11-09Updated: 2022-12-16Description
Description
Severity
Notes
2022-12-16 Update: Added patch versions for GKE and Anthos clusters on VMware. Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node. For instructions and more details, see the: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos clusters on AWS security bulletin
Anthos on Azure security bulletin
Anthos on bare metal security bulletin
High
CVE-2022-2585
CVE-2022-2588
|
Guideline
|
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2022-011 (lien direct) |
Published: 2022-03-22 Updated: 2022-08-11Description
Description
Severity
Update 2022-08-11: Added more information about the Simultaneous Multi-Threading (SMT) configuration. SMT was intended to be disabled, but was enabled on the versions listed. If you manually enabled SMT for a sandboxed node pool, SMT will remain manually enabled despite this issue. There is a misconfiguration with Simultaneous Multi-Threading (SMT), also known as Hyper-threading, on GKE Sandbox images. The misconfiguration leaves nodes potentially exposed to side channel attacks such as Microarchitectural Data Sampling (MDS) (for more context, see GKE Sandbox documentation). We do not recommend using the following affected versions: 1.22.4-gke.1501
1.22.6-gke.300
1.23.2-gke.300
1.23.3-gke.600 For instructions and more details, see the: GKE security bulletin.
Medium
|
|
Uber
|
★★★
|
|
2022-12-21 17:12:56 |
(Déjà vu) GCP-2022-010 (lien direct) |
Description
Description
Severity
Notes
The following Istio CVE exposes Anthos Service Mesh to a remotely exploitable vulnerability: CVE-2022-24726: The Istio control plane, `istiod`, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017 but does not require any authentication from the attacker. For instructions and more details, see the following security bulletin: Anthos Service Mesh security bulletin.
High
CVE-2022-24726
|
|
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2022-004 (lien direct) |
Published:Description
Description
Severity
Notes
A security vulnerability, CVE-2021-4034, has been discovered in pkexec, a part of the Linux policy kit package (polkit), that allows an authenticated user to perform a privilege escalation attack. PolicyKit is generally used only on Linux desktop systems to allow non-root users to perform actions such as rebooting the system, installing packages, restarting services etc, as governed by a policy. For instructions and more details, see the: GKE security bulletin
Anthos clusters on VMware security bulletin
Anthos on Azure security bulletin
None
CVE-2021-4034
|
|
|
★★★
|
|
2022-12-21 17:12:56 |
GCP-2021-023 (lien direct) |
Published:Description
Description
Severity
Notes
Per VMware security advisory VMSA-2021-0020, VMware received reports of multiple vulnerabilities in vCenter. VMware has made updates available to remediate these vulnerabilities in affected VMware products. We have already applied the patches provided by VMware for the vSphere stack to Google Cloud VMware Engine per the VMware security advisory. This update addresses the security vulnerabilities described in CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, and CVE-2021-22010. Other non-critical security issues will be addressed in the upcoming VMware stack upgrade (per the advance notice sent in July, more details will be provided soon on the specific timeline of the upgrade). VMware Engine impact Based on our investigations, no customers were found to be impacted. What should I do? Because VMware Engine clusters are not affected by this vulnerability, no further action is required.
Critical
VMSA-2021-0020
CVE-2021-22005
CVE-2021-22006
CVE-2021-22007
CVE-2021-22008
CVE-2021-22010
|
|
|
★★★
|