GCP-2024-018

Google Cloud Platform Security Advisory

Published: 2024-03-12
Reference: CVE-2024-1085

GKE

DescriptionSeverity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-1085

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren’t impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

  • 1.25.16-gke.1518000
  • 1.26.13-gke.1219000
  • 1.27.10-gke.1240000
  • 1.28.6-gke.1433000
  • 1.29.1-gke.1716000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

High

GKE on VMware

DescriptionSeverity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-1085

What should I do?

Pending

GKE on AWS

DescriptionSeverity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-1085

What should I do?

Pending

GKE on Azure

DescriptionSeverity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-1085

What should I do?

Pending

GKE on Bare Metal

DescriptionSeverity

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-1085

What should I do?

There is no action required. GKE on Bare Metal isn’t affected as it does not bundle an operating system in its distribution.

None

CLICK FOR MORE INFORMATION

Leave a Reply

Your email address will not be published. Required fields are marked *