From time to time, we might release security bulletins related to Google Compute Engine. All security bulletins for Google Compute Engine are described here.
Description | Severity | Notes |
---|---|---|
Date Published: 2014-07-25 | ||
DescriptionElasticsearch Logstash is vulnerable to OS command injection that can allow unauthorized modification and disclosure of data. An attacker can send crafted events to any of Logstash’s data sources, allowing the attacker to execute commands with the permissions of the Logstash process. Google Compute Engine impactThis vulnerability affects all Compute Engine instances running versions of Elasticsearch Logstash before 1.4.2 with zabbix or nagios_nsca outputs enabled. To prevent attack, you can either:
Read more on the Logstash blog . Elasticsearch also recommends using a firewall to prevent remote access by untrusted IPs. |
High | CVE-2014-4326 |
Date Published: 2014-06-18 | ||
DescriptionWe would like to take a moment to respond to any possible concerns that customers have about the security of Docker containers when running on Google Cloud Platform. This includes customers using our Google App Engine extensions that support Docker Containers, container optimized virtual machines, or the Open Source Kubernetes scheduler. Docker has done a great job of responding to the issue and you can see their blog response here . Note that, as they say in their response, the issue revealed today only applies to Docker 0.11, an older, pre-production, version. While the world is thinking about container security, we would like to point out that in Google Cloud Platform, Linux application container based solutions (specifically Docker containers) run in full virtual machines (Google Compute Engine). While we support the efforts of the Docker community to harden the Linux application container stack, we recognize that the technology is new, and the surface area large. It is our belief that, for now, full hypervisors (virtual machines) provide a more compact and defensible surface area. Virtual machines were designed from the beginning to isolate malicious workloads and to minimize the likelihood and impact of a code bug. Our customers can rest assured that a full hypervisor boundary exists between them and any third party, potentially malicious code. Should we reach a point where we consider the Linux application container stack robust enough to support multi-tenant workloads, we will let the community know. For now, the Linux application container does not replace the virtual machine. It is a way to get a lot more out of it. |
Low | Docker blog post |
Date Published: 2014-06-05 | ||
Description
OpenSSL has an issue where the
This issue is identified as CVE-2014-0224 . The OpenSSL team has fixed the issue and alerted the OpenSSL community to update OpenSSL. Google Compute Engine impactThis vulnerability affects all Compute Engine instances which use OpenSSL, including Debian, CentOS, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server. You can update your instances by recreating them with new images, or by manually updating packages on your instances. To update Debian and CentOS instances using new images, recreate your instances using any of the following image versions or higher:
To manually update OpenSSL on your instances, run the following commands to update the appropriate packages. For instances running CentOS and RHEL, you can update OpenSSL by running these commands in your instance: user@my-instance:~$ sudo yum -y update user@my-instance:~$ sudo reboot For instances running Debian, you can update OpenSSL by running the following commands in your instance: user@my-instance:~$ sudo apt-get update user@my-instance:~$ sudo apt-get -y upgrade user@my-instance:~$ sudo reboot For instances running SUSE Linux Enterprise Server, you can ensure OpenSSL is up to date by running these commands in the instance: user@my-instance:~$ sudo zypper --non-interactive up user@my-instance:~$ sudo reboot UPDATE (6/9/2014): To update your instances running SUSE Linux Enterprise Server with new images, recreate your instances using the following image versions or higher:
|
Medium | CVE-2014-0224 |
Date Published: 2014-04-08 | ||
Description
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before
1.0.1g do not properly handle Heartbeat Extension packets, which
allows remote attackers to obtain sensitive information from process
memory via crafted packets that trigger a buffer over-read, as
demonstrated by reading private keys, related to
Google Compute Engine impactThis vulnerability affects all Compute Engine Debian, RHEL, and CentOS instances that do not have the most updated version of OpenSSL. You can update your instances by recreating them with new images, or by manually updating packages on your instances. To update your instances using new images, recreate your instances using any of the following image versions or higher:
To manually update OpenSSL on your instances, run the following commands to update the appropriate packages. For instances running CentOS and RHEL, you can ensure OpenSSL is up to date by running these commands in the instance: user@my-instance:~$ sudo yum update user@my-instance:~$ sudo reboot For instances running Debian, you can update OpenSSL by running the following commands in your instance: user@my-instance:~$ sudo apt-get update user@my-instance:~$ sudo apt-get upgrade user@my-instance:~$ sudo reboot Instances running SUSE Linux are not affected. Update on April 14, 2014: In light of new research on extracting keys using the Heartbleed bug, Compute Engine is recommending that Compute Engine customers create new keys for any affected SSL services. |
Medium | CVE-2014-0160 |
Date Published: 2013-06-07 | ||
DescriptionNote: This vulnerability is only applicable for kernels, which have been deprecated and removed since API version v1.
Format string vulnerability in the
Google Compute Engine impact
This vulnerability affects all Google Compute Engine kernels earlier than
To find out what kernel version your instance is using:
|
Medium | CVE-2013-2852 |
Date Published: 2013-06-07 | ||
DescriptionNote: This vulnerability is only applicable for kernels, which have been deprecated and removed since API version v1.
Format string vulnerability in the register_disk function in
Google Compute Engine Impact
This vulnerability affects all Google Compute Engine kernels earlier than
To find out what kernel version your instance is using:
|
Medium | CVE-2013-2851 |
Date Published: 2013-05-14 | ||
DescriptionNote: This vulnerability is only applicable for kernels, which have been deprecated and removed since API version v1.
The perf_swevent_init function in
Google Compute Engine impact
This vulnerability affects all Google Compute Engine kernels earlier than
To find out what kernel version your instance is using:
|
High | CVE-2013-2094 |
Date Published: 2013-02-18 | ||
DescriptionNote: This vulnerability is only applicable for kernels, which have been deprecated and removed since API version v1.
Race condition in the ptrace functionality in the Linux kernel before
3.7.5 allows local users to gain privileges via a
Google Compute Engine impact
This vulnerability affects Google Compute Engine kernels
To find out what kernel version your instance is using:
|
Medium | CVE-2013-0871 |