What's new arround internet
Last one

Src Date (GMT) Titre Description Tags Stories Notes
Google.webp 2023-10-26 21:15:33 GCP-2023-035 (lien direct) Publié: 2023-10-26 Description Vulnerability
Google.webp 2023-10-25 16:51:37 GCP-2023-034 (lien direct) Publié: 2023-10-25 Description Vulnerability
Google.webp 2023-10-24 15:45:52 GCP-2023-033 (lien direct) Publié: 2023-10-24 Description Vulnerability
Google.webp 2023-10-13 18:59:51 GCP-2023-032 (lien direct) Publié: 2023-10-13 Description Vulnerability
Google.webp 2023-10-10 18:03:39 GCP-2023-031 (lien direct) Publié: 2023-10-10 Description
Google.webp 2023-10-10 17:37:33 GCP-2023-030 (lien direct) Publié: 2023-10-10 Description Vulnerability Uber
Google.webp 2023-10-04 22:04:01 GCP-2023-029 (lien direct) Publié: 2023-10-03 Description Vulnerability
Google.webp 2023-09-20 00:56:28 GCP-2023-028 (lien direct) Publié: 2023-09-19 Description Vulnerability Cloud
Google.webp 2023-09-06 17:35:09 GCP-2023-026 (lien direct) Publié: 2023-09-06 Description Description Gravité notes Trois vulnérabilités (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) ont été découvertes à Kubernetes où un utilisateur qui peut créer des gods sur les nœuds Windows peutêtre en mesure de dégénérer pour les privilèges d'administration sur ces nœuds.Ces vulnérabilités affectent les versions Windows de Kubelet et le proxy Kubernetes CSI. Pour les instructions et plus de détails, consultez les bulletins suivants: Bulletin de sécurité gke clusters anthos sur le bulletin de sécurité VMware grappes anthos sur le bulletin de sécurité AWS anthos sur le bulletin de sécurité azur anthos sur le bulletin de sécurité en métal nu High CVE-2023-3676 , CVE-2023-3955 , cve-2023-3893 Published: 2023-09-06Description Description Severity Notes Three vulnerabilities (CVE-2023-3676, CVE-2023-3955, CVE-2023-3893) have been discovered in Kubernetes where a user that can create Pods on Windows nodes may be able to escalate to admin privileges on those nodes. These vulnerabilities affect the Windows versions of Kubelet and the Kubernetes CSI proxy. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2023-3676, CVE-2023-3955, CVE-2023-3893 Vulnerability Uber ★★
Google.webp 2023-08-09 00:33:56 GCP-2023-025 (lien direct) Publié: Cloud
Google.webp 2023-08-08 16:41:49 GCP-2023-024 (lien direct) Publié: 2023-08-08 Description Description Gravité notes Intel a révélé une vulnérabilité dans certains processeurs (CVE-2022-40982).Google a pris des mesures pour atténuer sa flotte de serveurs, y compris Google Cloud, pour s'assurer que les clients sont protégés. Les détails de la vulnérabilité: CVE-2022-40982 (Intel IPU 2023.3, "Gds" aka "chute") que dois-je faire? Aucune action client n'estrequis. Tous les correctifs disponibles ont déjà été appliqués à la flotte Google Server pour Google Cloud, y compris le moteur Google Compute. Pour le moment, les produits suivants nécessitent des mises à jour supplémentaires de partenaires etvendeurs. Moteur Google Cloud VMware Google distribué le cloud hébergé Google distribué Cloud Edge Solution de métal nus de Google Cloud Core de paquet évolué Google remédiera à ces produits une fois que ces correctifs auront été mis à disposition, et ce bulletin sera mis à jour en conséquence. Google Chromebook et Chromeos FlexLes clients ont automatiquement reçu les atténuations fournies par Intel en stable (115), bêta (116) et LTC (114).Chromebook et Chromeos Flex que les clients épinglés à une version plus ancienne devraient envisager de permettre et de passer à des versions stables ou LTS pour s'assurer qu'ils reçoivent ce correctif et d'autres correctifs de vulnérabilité. Quelles vulnérabilités sont traitées? CVE-2022-40982 - Pour plus d'informations, voir Intel Security Advisory Intel-SA-00828 . High CVE-2022-40982
Published: 2023-08-08Description Description Severity Notes Intel disclosed a vulnerability in select processors (CVE-2022-40982). Google has taken steps to mitigate its server fleet, including Google Cloud, to ensure customers are protected. The vulnerability details: CVE-2022-40982 (Intel IPU 2023.3, "GDS" aka "Downfall") What should I do?No customer action is required. All available patches have already been applied to the Google server fleet for Google Cloud, including Google Compute Engine. At this time, the following products require additional updates from partners and vendors. Google Cloud VMware Engine Google Distributed Cloud Hosted Google Distributed Cloud Edge Google Cloud Bare Metal Solution Evolved Packet Core Google will remediate these products once these patches have been made available, and this bulletin will be updated accordingly. Google Chromebook and ChromeOS Flex customers automatically received the Intel provided mitigations in Stable (115), Beta (116), and LTC (114). Chromebook and ChromeOS Flex customers pinned to an older release should consider unpinning and moving to Stable or LTS releases to ensure they receive this and other vulnerability fixes. What vulnerabilities are being addressed? CVE-2022-40982 - For more information, see Intel Security Advisory INTEL-SA-00828. High CVE-2022-409		 Vulnerability Cloud
Google.webp 2023-08-08 16:02:27 GCP-2023-023 (lien direct) Publié: 2023-08-08 Description Description Gravité notes AMD a révélé une vulnérabilité dans certains processeurs (CVE-2023-20569).Google a pris des mesures pour atténuer sa flotte de serveurs, y compris Google Cloud, pour s'assurer que les clients sont protégés. Les détails de la vulnérabilité: CVE-2023-20569 (AMD SB-7005 aka "Inception") que dois-je faire? Les utilisateurs de machines virtuelles de calcul devraient considérerLe système d'exploitation a fourni des atténuations si vous utilisez l'exécution de code non fiable intra-instance.Nous recommandons aux clients de contacter leurs fournisseurs de système d'exploitation pour des conseils plus spécifiques. Les correctifs ont déjà été appliqués à la flotte de Google Server pour Google Cloud, y compris le moteur Google Compute. Les vulnérabilités sont traitées? CVE-2023-20569 - Pour plus d'informations, voir AMD SB-7005 . modéré CVE-2023-20569 Published: 2023-08-08Description Description Severity Notes AMD disclosed a vulnerability in select processors (CVE-2023-20569). Google has taken steps to mitigate its server fleet, including Google Cloud, to ensure customers are protected. The vulnerability details: CVE-2023-20569 (AMD SB-7005 aka "Inception") What should I do?Users of Compute Engine VMs should consider OS provided mitigations if using intra-instance untrusted code execution. We recommend customers to contact their OS vendors for more specific guidance. Fixes have already been applied to the Google server fleet for Google Cloud, including Google Compute Engine. What vulnerabilities are being addressed? CVE-2023-20569 - For more information, see AMD SB-7005. Moderate CVE-2023-20569 Vulnerability ★★
Google.webp 2023-08-03 17:39:00 GCP-2023-022 (lien direct) Publié: 2023-08-03 Description Description Gravité notes Google a identifié une vulnérabilité dans les implémentations GRPC C ++ avant la version 1.57.Il s'agissait d'une vulnérabilité de déni de service dans l'implémentation C ++ de GRPC \\.Ceux-ci ont été fixés dans les versions 1.53.2, 1,54,3, 1,55.2, 1,56.2 et 1.57. Que dois-je faire? Assurez-vous que vous utilisez les dernières versions des packages logiciels suivants: GRPC (C ++, Python, Ruby) Versions 1.53, 1.54, 1.55 et 1.56 Besoin de passer à la mise à niveau versLe correctif suivant verse: 1.53.2 1.54.3 1.55.2 1.56.2 GRPC (C ++, Python, Ruby) Versions 1.52 et antérieurement besoin de passer à l'une des versions de patch approuvées.Par exemple, 1.53.2, 1.54.3, 1.53.4, etc. Quelles vulnérabilités sont traitées? Ces correctifsImatignez les vulnérabilités suivantes: La vulnérabilité du déni de service dans les implémentations GRPC C ++: les demandes spécialement conçues peuvent provoquer une résiliation de la connexion entre un proxy et un backend. High CVE-2023-33953 Published: 2023-08-03Description Description Severity Notes Google identified a vulnerability in gRPC C++ Implementations prior to the 1.57 release. This was a Denial-of-Service vulnerability within the gRPC\'s C++ implementation. These have been fixed in the 1.53.2, 1.54.3, 1.55.2, 1.56.2, and 1.57 releases. What should I do? Ensure that you\'re using the latest versions of the following software packages: gRPC (C++, Python, Ruby) versions 1.53, 1.54, 1.55, and 1.56 need to upgrade to the following patch releases: 1.53.2 1.54.3 1.55.2 1.56.2 gRPC (C++, Python, Ruby) versions 1.52 and earlier need to upgrade to one of the approved patch releases. For example, 1.53.2, 1.54.3, 1.53.4, etc. What vulnerabilities are being addressed? These patches mitigate the following vulnerabilities: Denial-Of-Service vulnerability in gRPC C++ implementations: Specially crafted requests can cause a termination of connection between a proxy and a backend.High CVE-2023-33953 Vulnerability ★★
Google.webp 2023-07-26 16:11:06 GCP-2023-021 (lien direct) Mise à jour: 2023-07-26 Publié: 2023-07-25 Description Vulnerability
Google.webp 2023-07-24 20:14:21 GCP-2023-020 (lien direct) Publié: 2023-07-24 Description Vulnerability Cloud ★★
Google.webp 2023-07-18 17:27:52 GCP-2023-019 (lien direct) Publié: 2023-07-18 Description Vulnerability ★★
Google.webp 2023-06-27 14:55:00 (Déjà vu) GCP-2023-018 (lien direct) Publié: 2023-06-27 Description Vulnerability Uber ★★
Google.webp 2023-06-26 18:49:48 GCP-2023-016 (lien direct) Publié: 2023-06-26 Description Description Gravité notes Un certain nombre de vulnérabilités ont été découvertes dans Envoy, qui est utilisée dans le maillage de service Anthos qui permet à un attaquant malveillant de provoquer un déni de service ou un envoyé de crash.Ceux-ci ont été signalés séparément comme gcp-2023-002 . Pour les instructionset plus de détails, voir les bulletins suivants: Bulletin de sécurité GKE clusters anthos sur le bulletin de sécurité VMware grappes anthos sur le bulletin de sécurité AWS anthos sur le bulletin de sécurité azur anthos sur le bulletin de sécurité en métal nu High CVE-2023-27496 , CVE-2023-27488 , cve-2023-27493 , cve-2023-27492 , cve-2023-27491 , cve-2023-27487
Published: 2023-06-26Description Description Severity Notes A number of vulnerabilities have been discovered in Envoy, which is used in Anthos Service Mesh that allow a malicious attacker to cause a denial of service or crash Envoy. These were reported separately as GCP-2023-002. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, 		★★
Google.webp 2023-06-26 18:49:48 GCP-2023-017 (lien direct) Publié: 2023-06-26 Description Vulnerability Uber ★★
Google.webp 2023-06-20 15:06:21 GCP-2023-015 (lien direct) Publié: 2023-06-20 Description Poll_refs sur chaque io_poll_wake puis déboucher à 0 0qui fera le fichier req-> deux fois et provoquera un problème de reflets de fichier struct.Les clusters GKE, y compris les grappes de pilote automatique, avec un système d'exploitation optimisé par le conteneur utilisant le noyau Linux version 5.15 sont affectés.Les grappes GKE utilisant des images Ubuntu ou l'utilisation de Gke Sandbox ne sont pas affectées. Pour les instructions et plus de détails, consultez les bulletins suivants: GKE Sécurité Bulletin clusters anthos sur le bulletin de sécurité VMware grappes anthos sur le bulletin de sécurité AWS anthos sur le bulletin de sécurité azur anthos sur le bulletin de sécurité en métal nu moyen cve-2023-0468 Published: 2023-06-20Description Description Severity Notes A new vulnerability, CVE-2023-0468, has been discovered in the Linux kernel that could allow an unprivileged user to escalate privileges to root when io_poll_get_ownership will keep increasing req->poll_refs on every io_poll_wake then overflow to 0 which will fput req->file twice and cause a struct file refcount issue. GKE clusters, including Autopilot clusters, with Container-Optimized OS using Linux Kernel version 5.15 are affected. GKE clusters using Ubuntu images or using GKE Sandbox are unaffected. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin Medium CVE-CVE-2023-0468 ★★
Google.webp 2023-06-20 15:06:21 GCP-2023-009 (lien direct) Publié: 2023-06-06 Description Description Gravité notes Une nouvelle vulnérabilité (CVE-2023-2878) a été découverte dans le pilote secrets-store-CSI où un acteur ayant accès aux journaux de conducteur pourrait observer les jetons de compte de service. Pour les instructions et plus de détails, consultez les bulletins suivants: Bulletin de sécurité GKE grappes anthos sur le bulletin de sécurité VMware grappes anthos sur le bulletin de sécurité AWS anthos sur le bulletin de sécurité azur anthos sur le bulletin de sécurité nus Aucun CVE-2023-2878 Published: 2023-06-06Description Description Severity Notes A new vulnerability (CVE-2023-2878) has been discovered in the secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin None CVE-2023-2878 Vulnerability ★★
Google.webp 2023-06-15 19:06:42 GCP-2023-014 (lien direct) Publié: 2023-06-15 Description Uber ★★
Google.webp 2023-06-15 19:06:42 GCP-2023-013 (lien direct) Publié: 2023-06-08 Description Description Gravité notes Lorsque vous activez l'API de build Cloud dans un projet, Cloud Build crée automatiquement un compte de service par défaut pour exécuter des builds en votre nom.Ce compte Cloud Build Service avait auparavant le Logging.privateLoGentries.List IAM Permission, qui a permis aux builds d'avoir accès à la liste des journaux privés par défaut.Cette autorisation a maintenant été révoquée à partir du compte Cloud Build Service pour adhérer au principe de sécurité du moindre privilège. Pour les instructions et plus de détails, consultez le Cloud Build Security Bulletin . Low Published: 2023-06-08Description Description Severity Notes When you enable the Cloud Build API in a project, Cloud Build automatically creates a default service account to execute builds on your behalf. This Cloud Build service account previously had the logging.privateLogEntries.list IAM permission, which allowed builds to have access to list private logs by default. This permission has now been revoked from the Cloud Build service account to adhere to the security principle of least privilege. For instructions and more details, see the Cloud Build security bulletin. Low Cloud ★★
Google.webp 2023-06-07 21:21:27 GCP-2023-010 (lien direct) Publié: 2023-06-07 Description Description Gravité notes Google a identifié trois nouvelles vulnérabilités dans l'implémentation GRPC C ++.Ceux-ci seront publiés bientôt publiquement sous le nom de cve-2023-1428 , CVE-2023-32731 et CVE-2023-32732 . En avril, nous avons identifié deux vulnérabilités dans les versions de 1,53 et 1,54.L'un était une vulnérabilité du déni de service dans l'implémentation C ++ de GRPC \\ et l'autre était une vulnérabilité d'exfiltration de données distantes.Ceux-ci ont été fixés en 1,53.1, 1,54,2 et vers des versions ultérieures. Auparavant en mars, nos équipes internes ont découvert une vulnérabilité de déni de service dans la mise en œuvre du C ++ du GRPC \\ tout en effectuant une routine de routineactivités de fuzzing.Il a été trouvé dans la version GRPC 1.52, et a été fixé dans les versions 1.52.2 et 1,53. Que dois-je faire? Assurez-vous que vous utilisez les dernières versions des packages logiciels suivants: GRPC (C ++, Python, Ruby) version 1.52, 1.53 et 1.54 doivent passer à la mise à niveau suivanterejets de correctif; 1.52.2 1.53.1 1.54.2 GRPC (C ++, Python, Ruby) version 1.51 et antérieurs ne sont pas affectés, les utilisateurs avec ces versions ne peuvent donc prendre aucune action Quelles vulnérabilités sont traitées par ces correctifs? Ces correctifs atténuent les vulnérabilités suivantes: 1.53.1, 1.54.2 et les versions ultérieures s'adressent aux abordements.Suivant: La vulnérabilité du déni de service dans l'implémentation GRPC C ++.Des demandes spécialement conçues peuvent entraîner une résiliation de la connexion entre un proxy et un backend.Vulnérabilité d'exfiltration des données à distance: La désynchronisation dans le tableau HPACK en raison des limitations de la taille de l'en-tête peut entraîner des backends proxy qui fuient les données d'en-tête d'autres clients connectés à un proxy. 1.52.2, 1,53, et les versions ultérieures adressées à la question suivante.: Vulnérabilité du déni de service dans l'implémentation C ++ de GRPC \\.L'analyse de certaines demandes spécifiquement formées peut entraîner un accident impactant un serveur. Nous vous recommandons de passer aux dernières versions des packages logiciels suivants comme indiqué ci-dessus. HIGH (CVE-2023-1428, CVE-2023-32731).Moyen (CVE-2023-32732) CVE-2023-1428, CVE-2023-32731, cve-023-32732
Published: 2023-06-07Description Description Severity Notes Google identified three new vulnerabilities in the gRPC C ++ implementation. These will be published soon publicly as CVE-2023-1428, CVE-2023-32731 and 		Vulnerability ★★
Google.webp 2023-06-05 19:44:44 GCP-2023-008 (lien direct) Publié: 2023-06-05 Description Description Gravité notes Une nouvelle vulnérabilité (CVE-2023-1872) a été découverte dans le noyau Linux qui peut conduire à une escalade de privilège pour rooter sur le nœud. pour les instructions et plus de détails, voirLes bulletins suivants: Gke SecurityBulletin grappes anthos sur VMware Security Bulletin grappes anthos sur le bulletin de sécurité AWS anthos sur le bulletin de sécurité azur anthos sur le bulletin de sécurité nus High CVE-2023-1872 Published: 2023-06-05Description Description Severity Notes A new vulnerability (CVE-2023-1872) has been discovered in the Linux kernel that can lead to a privilege escalation to root on the node. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2023-1872 Vulnerability ★★
Google.webp 2023-06-02 20:21:30 GCP-2023-007 (lien direct) Publié: 2023-06-02 Description Vulnerability Patching Cloud ★★★
Google.webp 2023-05-18 15:08:09 GCP-2023-005 (lien direct) Publié: 2023-05-18 Description ★★★
Google.webp 2023-04-26 22:23:09 GCP-2023-004 (lien direct) Publié: 2023-04-26 Description Vulnerability ★★
Google.webp 2023-04-11 15:31:45 GCP-2023-003 (lien direct) Publié: 2023-04-11 Description ★★★
Google.webp 2023-04-04 20:19:30 GCP-2023-002 (lien direct) Description Vulnerability ★★
Google.webp 2023-03-01 20:25:32 (Déjà vu) GCP-2023-001 (lien direct) Published: 2023-03-01Description Description Severity Notes A new vulnerability (CVE-2022-4696) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2022-4696 Vulnerability Guideline ★★★
Google.webp 2023-01-11 22:15:53 GCP-2022-026 (lien direct) Published: 2023-01-11Description Description Severity Notes Two new vulnerabilities (CVE-2022-3786 and CVE-2022-3602) have been discovered in OpenSSL v3.0.6 that can potentially cause a crash. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin Medium CVE-2022-3786 CVE-2022-3602 ★★★
Google.webp 2022-12-21 17:12:56 (Déjà vu) GCP-2022-021 (lien direct) Published: 2022-10-27Updated: 2022-12-15Description Description Severity Notes 2022-12-15 Update: Updated information that version 1.21.14-gke.9400 of Google Kubernetes Engine is pending rollout and may be superseded by a higher version number. 2022-11-22 Update: Added patch versions for Anthos clusters on VMware, Anthos clusters on AWS, and Anthos on Azure. A new vulnerability, CVE-2022-3176, has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve full container breakout to root on the node. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2022-3176 Vulnerability Guideline Uber ★★★
Google.webp 2022-12-21 17:12:56 GCP-2021-020 (lien direct) Published:Description Description Severity Notes Certain Google Cloud load balancers routing to an Identity-Aware Proxy (IAP) enabled Backend Service could have been vulnerable to an untrusted party under limited conditions. This addresses an issue reported through our Vulnerability Reward Program. The conditions were that the servers:Were HTTP(S) load balancers andUsed a default backend or a backend that had a wildcard host mapping rule (that is, host="*") In addition, a user in your organization must have clicked a specifically-crafted link sent by an untrusted party.This issue has now been resolved. IAP has been updated to issue cookies only to authorized hosts as of September 17, 2021. A host is considered authorized if it matches at least one Subject Alternative Name (SAN) in one of the certificates installed on your load balancers.What to do Some of your users may experience an HTTP 401 Unauthorized response with an IAP error code 52 while trying to access apps or services. This error code means that the client sent a Host header which does not match any Subject Alternative Names associated with the load balancer's SSL certificate(s). The load balancer administrator needs to update the SSL certificate to ensure that the Subject Alternative Name (SAN) list contains all the hostnames through which users are accessing the IAP-protected apps or services. Learn more about IAP error codes. High Vulnerability ★★★
Google.webp 2022-12-21 17:12:56 (Déjà vu) GCP-2022-020 (lien direct) Published: 2022-10-05Updated: 2022-10-12Description Description Severity Notes The Istio control plane istiod is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For instructions and more details, see the Anthos Service Mesh security bulletin. High CVE-2022-39278 ★★★
Google.webp 2022-12-21 17:12:56 GCP-2022-006 (lien direct) Published:Updated: Description Description Severity Notes 2022-05-16 Update: Added GKE version 1.19.16-gke.7800 or later to the list of versions that have code to fix this vulnerability. For details, see the GKE security bulletin. 2022-05-12 Update: The GKE, Anthos clusters on VMware, Anthos clusters on AWS, and Anthos on Azure versions have been updated. For instructions and more details, see the:GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin A security vulnerability, CVE-2022-0492, has been discovered in the Linux kernel's cgroup_release_agent_write function. The attack uses unprivileged user namespaces and under certain circumstances this vulnerability can be exploitable for container breakout. Low For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Vulnerability ★★★
Google.webp 2022-12-21 17:12:56 GCP-2022-009 (lien direct) Published:Description Description Severity Some unexpected paths to access the node VM on GKE Autopilot clusters could have been used to escalate privileges in the cluster. These issues have been fixed and no further action is required. The fixes address issues reported through our Vulnerability Reward Program. For instructions and more details, see the GKE security bulletin Low ★★★
Google.webp 2022-12-21 17:12:56 (Déjà vu) GCP-2022-022 (lien direct) Published: 2022-10-28Updated: 2022-12-14Description Description Severity Notes 2022-12-14 Update: Added patch versions for GKE and Anthos clusters on VMware. A new vulnerability, CVE-2022-20409, has been discovered in the Linux kernel that could allow an unprivileged user to escalate to system execution privilege. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2022-20409 ★★★
Google.webp 2022-12-21 17:12:56 GCP-2021-022 (lien direct) Published:Description Description Severity Notes A vulnerability has been discovered in the Anthos Identity Service (AIS) LDAP module of Anthos clusters on VMware versions 1.8 and 1.8.1 where a seed key used in generating keys is predictable. With this vulnerability, an authenticated user could add arbitrary claims and escalate privileges indefinitely. For instructions and more details, see the Anthos clusters on VMware security bulletin. High Vulnerability ★★★
Google.webp 2022-12-21 17:12:56 (Déjà vu) GCP-2022-024 (lien direct) Published: 2022-11-09Updated: 2022-12-16Description Description Severity Notes 2022-12-16 Update: Added patch versions for GKE and Anthos clusters on VMware. Two new vulnerabilities (CVE-2022-2585 and CVE-2022-2588) have been discovered in the Linux kernel that can lead to a full container break out to root on the node. For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2022-2585 CVE-2022-2588 Guideline ★★★
Google.webp 2022-12-21 17:12:56 GCP-2021-023 (lien direct) Published:Description Description Severity Notes Per VMware security advisory VMSA-2021-0020, VMware received reports of multiple vulnerabilities in vCenter. VMware has made updates available to remediate these vulnerabilities in affected VMware products. We have already applied the patches provided by VMware for the vSphere stack to Google Cloud VMware Engine per the VMware security advisory. This update addresses the security vulnerabilities described in CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, and CVE-2021-22010. Other non-critical security issues will be addressed in the upcoming VMware stack upgrade (per the advance notice sent in July, more details will be provided soon on the specific timeline of the upgrade). VMware Engine impact Based on our investigations, no customers were found to be impacted. What should I do? Because VMware Engine clusters are not affected by this vulnerability, no further action is required. Critical VMSA-2021-0020 CVE-2021-22005 CVE-2021-22006 CVE-2021-22007 CVE-2021-22008 CVE-2021-22010 ★★★
Google.webp 2022-12-21 17:12:56 GCP-2022-004 (lien direct) Published:Description Description Severity Notes A security vulnerability, CVE-2021-4034, has been discovered in pkexec, a part of the Linux policy kit package (polkit), that allows an authenticated user to perform a privilege escalation attack. PolicyKit is generally used only on Linux desktop systems to allow non-root users to perform actions such as rebooting the system, installing packages, restarting services etc, as governed by a policy. For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin Anthos on Azure security bulletin None CVE-2021-4034 ★★★
Google.webp 2022-12-21 17:12:56 (Déjà vu) GCP-2022-010 (lien direct) Description Description Severity Notes The following Istio CVE exposes Anthos Service Mesh to a remotely exploitable vulnerability: CVE-2022-24726: The Istio control plane, `istiod`, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017 but does not require any authentication from the attacker. For instructions and more details, see the following security bulletin: Anthos Service Mesh security bulletin. High CVE-2022-24726 ★★★
Google.webp 2022-12-21 17:12:56 (Déjà vu) GCP-2022-012 (lien direct) Published: 2022-04-07 Updated: 2022-11-22Description Description Severity Notes 2022-11-22 Update: For GKE clusters in both modes, Standard and Autopilot, workloads using GKE Sandbox are unaffected. A security vulnerability, CVE-2022-0847, has been discovered in the Linux kernel version 5.8 and later that can potentially escalate container privileges to root. This vulnerability affects the following products: GKE node pool versions 1.22 and later that use Container-Optimized OS images (Container-Optimized OS 93 and later) Anthos clusters on VMware v1.10 for Container-Optimized OS images Anthos clusters on AWS v1.21 and Anthos clusters on AWS (previous generation) v1.19, v1.20, v1.21, which use Ubuntu Managed clusters of Anthos on Azure v1.21 which use Ubuntu For instructions and more details, see the following security bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2022-0847 Vulnerability Uber ★★★
Google.webp 2022-12-21 17:12:56 GCP-2022-013 (lien direct) Published: 2022-04-11 Updated: 2022-04-22Description Description Severity Notes A security vulnerability, CVE-2022-23648, has been discovered in containerd's handling of path traversal in the OCI image volume specification. Containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain full read access to arbitrary files and directories on the host. This vulnerability may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy). For instructions and more details, see the following security bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin Medium CVE-2022-23648 Vulnerability Uber ★★★
Google.webp 2022-12-21 17:12:56 GCP-2022-011 (lien direct) Published: 2022-03-22 Updated: 2022-08-11Description Description Severity Update 2022-08-11: Added more information about the Simultaneous Multi-Threading (SMT) configuration. SMT was intended to be disabled, but was enabled on the versions listed. If you manually enabled SMT for a sandboxed node pool, SMT will remain manually enabled despite this issue. There is a misconfiguration with Simultaneous Multi-Threading (SMT), also known as Hyper-threading, on GKE Sandbox images. The misconfiguration leaves nodes potentially exposed to side channel attacks such as Microarchitectural Data Sampling (MDS) (for more context, see GKE Sandbox documentation). We do not recommend using the following affected versions: 1.22.4-gke.1501 1.22.6-gke.300 1.23.2-gke.300 1.23.3-gke.600 For instructions and more details, see the: GKE security bulletin. Medium Uber ★★★
Google.webp 2022-12-21 17:12:56 (Déjà vu) GCP-2022-018 (lien direct) Published: 2022-08-01Updated: 2022-09-14Description Description Severity Notes 2022-09-14 Update: Added patch versions for Anthos clusters on VMware, Anthos clusters on AWS, and Anthos on Azure. A new vulnerability (CVE-2022-2327) has been discovered in the Linux kernel that can lead to local privilege escalation. This vulnerability allows an unprivileged user to achieve a full container breakout to root on the node. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletinHigh CVE-2022-2327 Vulnerability Guideline ★★★
Google.webp 2022-12-21 17:12:56 (Déjà vu) GCP-2022-025 (lien direct) Published: 2022-12-21Description Description Severity Notes A new vulnerability (CVE-2022-2602) has been discovered in the io_uring subsystem in the Linux kernel that can allow an attacker to potentially execute arbitrary code. For instructions and more details, see the following bulletins: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on Azure security bulletin Anthos on bare metal security bulletin High CVE-2022-2602 Vulnerability ★★★
Google.webp 2022-12-21 17:12:56 GCP-2021-021 (lien direct) Published:Description Description Severity Notes A security vulnerability, CVE-2020-8561, has been discovered in Kubernetes where certain webhooks can be made to redirect kube-apiserver requests to private networks of that API server. For instructions and more details, see the: GKE security bulletin Anthos clusters on VMware security bulletin Anthos clusters on AWS security bulletin Anthos on bare metal security bulletin Medium CVE-2020-8561 Uber ★★★
Google.webp 2022-12-21 17:12:56 GCP-2021-019 (lien direct) Published:Description Description Severity Notes There is a known issue where updating a BackendConfig resource using the v1beta1 API removes an active Google Cloud Armor security policy from its service. For instructions and more details, see the GKE security bulletin. Low ★★★
Last update at: 2024-07-16 04:08:13
See our sources.
My email:

To see everything: Our RSS (filtrered) Twitter