GCP-2023-017

Published: 2023-06-26
Reference: CVE-2023-31436

GKE

DescriptionSeverity

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. GKE clusters, including Autopilot clusters, are affected.

GKE clusters using GKE Sandbox are not affected.

What should I do?

The following versions of GKE have been updated with code to fix this vulnerability. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions:

  • 1.22.17-gke.11400
  • 1.23.17-gke.6800
  • 1.24.14-gke.1200
  • 1.25.10-gke.1200
  • 1.26.5-gke.1200
  • 1.27.2-gke.1200

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

What vulnerabilities are being addressed?

With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel’s traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.

High

Anthos clusters on VMware

DescriptionSeverity

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. Anthos clusters on VMware clusters are affected.

What should I do?

What vulnerabilities are being addressed?

With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel’s traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.

High

Anthos clusters on AWS

DescriptionSeverity

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. Anthos clusters on AWS clusters are affected.

What should I do?

What vulnerabilities are addressed by this patch?

With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel’s traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.

High

Anthos on Azure

DescriptionSeverity

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node. Anthos on Azure clusters are affected.

What should I do?

What vulnerabilities are addressed by this patch?

With CVE-2023-31436, an out-of-bounds memory access flaw was found in the Linux kernel’s traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.

High

Anthos clusters on bare metal

DescriptionSeverity

A new vulnerability (CVE-2023-31436) has been discovered in the Linux kernel that can lead to a privilege escalation on the node.

Anthos on bare metal is not affected by this CVE.

What should I do?

No action is required.

None

CLICK FOR MORE INFORMATION