GCP-2023-028

Google Cloud Platform Security Advisory

Published: 2023-09-19

Description

DescriptionSeverityNotes

Customers can configure Chronicle to ingest data from customer-owned Cloud Storage buckets using an ingestion feed. Until recently, Chronicle provided a shared service account that customers used to grant permission to the bucket. An opportunity existed such that one customer’s Chronicle instance could be configured to ingest data from another customer’s Cloud Storage bucket. After performing an impact analysis, we found no current or prior exploitation of this vulnerability. The vulnerability was present in all versions of Chronicle prior to Sept 19, 2023.

What should I do?

As of Sept 19, 2023, Chronicle has been updated to address this vulnerability. No customer action is required.

What vulnerabilities are being addressed?

Previously, Chronicle provided a shared service account that customers used to grant permission to a bucket. Because different customers gave the same Chronicle service account permission to their bucket, an exploitation vector existed that allowed one customer’s feed to access a different customer’s bucket when a feed was being created or modified. This exploitation vector required knowledge of the bucket URI. Now, during feed creation or modification, Chronicle uses unique service accounts for each customer.

High

CLICK FOR MORE INFORMATION