GCP-2024-022

Google Cloud Platform Security Advisory

Published: 2024-04-03
Reference: CVE-2023-45288

GKE

DescriptionSeverity

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane. GKE clusters with authorized networks configured are protected by limiting network access, but all other clusters are affected.

GKE Autopilot and Standard clusters are affected.

What should I do?

The golang project released patches on April 3, 2024. We’ll update this bulletin when GKE versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

Mitigate by configuring authorized networks for control plane access:

You can mitigate your clusters from this class of attacks by configuring authorized networks. Follow the instructions to enable authorized networks for an existing cluster.

To learn more about how authorized networks control access to the control plane, see How authorized networks work. To see the default authorized network access, view the table in the Access to control plane endpoints section.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

High

GKE on VMware

DescriptionSeverity

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane.

What should I do?

The golang project released patches on April 3, 2024. We’ll update this bulletin when GKE on VMware versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

High

GKE on AWS

DescriptionSeverity

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane.

What should I do?

The golang project released patches on April 3, 2024. We’ll update this bulletin when GKE on AWS versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

High

GKE on Azure

DescriptionSeverity

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane.

What should I do?

The golang project released patches on April 3, 2024. We’ll update this bulletin when GKE on Azure versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

High

GKE on Bare Metal

DescriptionSeverity

A Denial-of-Service (DoS) vulnerability (CVE-2023-45288) was recently discovered in multiple implementations of the HTTP/2 protocol, including the golang HTTP server used by Kubernetes. The vulnerability could lead to a DoS of the Google Kubernetes Engine (GKE) control plane.

What should I do?

The golang project released patches on April 3, 2024. We’ll update this bulletin when GKE on Bare Metal versions that incorporate these patches are available. To request a patch on an accelerated timeline, contact support.

What vulnerabilities are addressed by this patch?

The vulnerability (CVE-2023-45288) allows an attacker to execute a DoS attack on Kubernetes control plane.

High

CLICK FOR MORE INFORMATION

Leave a Reply

Your email address will not be published. Required fields are marked *