GCP-2024-025

Google Cloud Platform Security Advisory

Published: 2024-04-26

Description

DescriptionSeverityNotes

Looker fixed vulnerabilities reported by an external researcher via the Google and Alphabet Vulnerability Reward Program (VRP) program, but found no evidence of exploitation. These issues are now resolved and no user action is required for Looker-hosted customers on Looker (Google Cloud core) and Looker (original). Self-hosted Looker instances are advised to update to the latest supported version.

What should I do?

Looker-hosted instances: Looker (Google Cloud core) and Looker (original) instances

No customer action is required.

Self-hosted Looker instances only

If your Looker instance is self-hosted, we recommend upgrading your Looker instances to one of the following versions:

  • 24.6.12+
  • 24.4.27+
  • 24.2.58+
  • 24.0.65+
  • 23.18.100+
  • 23.12.105+
  • 23.6.163+

How was this fixed?

Google disabled direct administrative access to the internal database from the Looker application, removed elevated privileges that enabled cross-tenant access, and rotated the exposed secrets. Additionally, we have patched path traversal vulnerabilities that potentially exposed service account credentials. We are also conducting a thorough review of our code and systems to identify and address any similar potential vulnerabilities.

Critical

CLICK FOR MORE INFORMATION

Leave a Reply

Your email address will not be published. Required fields are marked *