This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to take action on the security issues in container optimized OS

Posted 2 weeks ago
Murugesan
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello experts,

We have security vulnerabilities issues reported under the category "OS vulnerability" in one of our project using to host the GKE, we rely on the "Container optimized OS". The issues were pointing to the old gitshells, python and other packages installed and bundled inside the "Container optimized OS". In order to mitigate the issues, how to update these packages to the latest version suggested by the security command center itself in the remediation steps. ?

And also, we see, the packages installed on Optimized container OS always shows "No update s available available ", patch status "up to date".

But the security vulnerabilities and threats detecting the issues in the "container  optimized OS". Or this is only applicable for the project having their own VM  and desired OS with workload installed on it ? Please suggest on this.

Solved Solved
0 3 140
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Manish_B
Staff
In response to Murugesan
Reply posted on --/--/---- --:-- AM

Hello @Murugesan,

Thank you for your response.

As I mentioned in my previous response, a remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH where all supported versions of Container Optimized OS and Ubuntu images on GKE run versions of OpenSSH are vulnerable to this issue. Hence there could be a chance of getting vulnerability logs in the security command center even though all the packages were up-to-date. Please refer to this GKE Security Bulletin to know more about this race condition.

In order to resolve this issue, please follow the resolution steps mentioned here. Please let me know if the issue is resolved after upgrading the GKE nodes with the latest patch versions available.

Thanks & Regards,

Manish Bavireddy.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
Manish_B
Staff
Reply posted on --/--/---- --:-- AM

Hello @Murugesan,

Thank you for contacting Google Cloud Community

I understand that you are receiving OS vulnerabilities asking you to update the packages which are up to date as part of security command center findings. Please correct me, if I misunderstood.

In order to resolve the issue, please ensure that your GKE nodes are running the latest version of COS. As stated in the GKE security bulletin, vulnerabilities(CVE-2024-26923) were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes. It is suggested to upgrade your Container-Optimized OS node pools to one of the following patch versions or later to resolve the issue:

  • 1.26.15-gke.1360000
  • 1.27.14-gke.1022000
  • 1.28.9-gke.1289000
  • 1.29.5-gke.1010000

I hope the above provided information is helpful.

Thanks & Regards,

Manish Bavireddy. 

 

Jump to Solution

Posted on --/--/---- --:-- AM
Murugesan
Bronze 3
Bronze 3
In response to Manish_B
Reply posted on --/--/---- --:-- AM

Thank you Manish , Yes you understood my question but its not GKE security bulletin but Security Command Center, logs the critical error under the category "OS Vulnerability". Remediation steps and links pointing to pool and the source "COS" where the GKE hosted.

Example :  CVE-2024-6387, in the OS Info and the packages list all shows "Up to date". But the SSC reporting the OS Vulnerability found on the COS.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Manish_B
Staff
In response to Murugesan
Reply posted on --/--/---- --:-- AM

Hello @Murugesan,

Thank you for your response.

As I mentioned in my previous response, a remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH where all supported versions of Container Optimized OS and Ubuntu images on GKE run versions of OpenSSH are vulnerable to this issue. Hence there could be a chance of getting vulnerability logs in the security command center even though all the packages were up-to-date. Please refer to this GKE Security Bulletin to know more about this race condition.

In order to resolve this issue, please follow the resolution steps mentioned here. Please let me know if the issue is resolved after upgrading the GKE nodes with the latest patch versions available.

Thanks & Regards,

Manish Bavireddy.

Jump to Solution
Top Labels in this Space
Top Solution Authors
View all