GCP-2023-030

Google Cloud Platform Security Advisory

Published: 2023-10-10
Reference: CVE-2023-44487

GKE

DescriptionSeverity

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. GKE clusters with authorized networks configured are protected by limiting network access, but all other clusters are affected.

What should I do?

We recommend that you apply the following mitigation as soon as possible and upgrade to the latest patched version when available.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane, and also make the patches visible within GKE security posture when available for your cluster. To receive a Pub/Sub notification when a patch is available for your channel, enable cluster notifications.

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your release specific channel.

Mitigate by configuring authorized networks for control plane access:

You can add authorized networks for existing clusters. To learn more see, authorized network for existing clusters.

In addition to the authorized networks you add, there are preset IP addresses that can access the GKE control plane. To learn more about these addresses, see Access to control plane endpoints. The following items summarize the cluster isolation:

  • Private clusters with --master-authorized-networks and PSC-based clusters with --master-authorized-networks and --no-enable-google-cloud configured are the most isolated.
  • Legacy public clusters with --master-authorized-networks and PSC-based clusters with --master-authorized-networks and --enable-google-cloud (default) configured are additionally accessible by the following:
    • Public IP addresses of all Compute Engine VMs in Google Cloud
    • Google Cloud platform IP addresses

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on GKE control plane nodes.

High

Anthos clusters on VMware

DescriptionSeverity

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. Anthos clusters on VMware creates Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability.

What should I do?

If you have configured your Anthos clusters on VMware Kubernetes clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access.

We recommend that you upgrade to the latest patch version, when available, as soon as possible.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes.

High

Anthos clusters on AWS

DescriptionSeverity

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. Anthos clusters on AWS creates private Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability.

What should I do?

If you have configured your Anthos clusters on AWS to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access.

We recommend that you upgrade to the latest patch version, when available, as soon as possible.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes.

High

Anthos on Azure

DescriptionSeverity

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. Anthos on Azure creates private Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability.

What should I do?

If you have configured your Anthos on Azure clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access.

We recommend that you upgrade to the latest patch version, when available, as soon as possible.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes.

High

Anthos clusters on bare metal

DescriptionSeverity

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Kubernetes control plane. Anthos on Bare Metal creates Kubernetes clusters that are not directly accessible to the Internet by default and are protected from this vulnerability.

What should I do?

If you have configured your Anthos on Bare Metal Kubernetes clusters to have direct access to the Internet or other untrusted networks, we recommend working with your firewall administrator to block or limit that access. To learn more, see the Anthos clusters on bare metal security overview.

We recommend that you upgrade to the latest patch version, when available, as soon as possible.

Golang patches will be released on October 10. Once available, we will build and qualify a new Kubernetes API server with those patches and make a GKE patched release. Once the GKE release is available, we will update this bulletin with guidance on which version to upgrade your control plane to.

What vulnerabilities are addressed by this patch?

The vulnerability, CVE-2023-44487, allows an attacker to execute a denial-of-service attack on Kubernetes control plane nodes.

High

CLICK FOR MORE INFORMATION