run.services.update and iam.serviceAccounts.actAspermissions they could modify a Cloud Run service and deploy a new revision.”In doing so, they could specify (through malicious code injection) any private container image stored in a victim’s registries, Matan added.According to a Tenable statement to CSO, an attacker could use this vulnerability for data theft or espionage in a real-world scenario. The attacker could use their code to inspect the contents of the private image, extract secrets stored within it, or even exfiltrate sensitive data. Flaw fixed with explicit read access requirement: The flaw, which was never assigned a CVE ID, received a fix from Google in January wherein Cloud Run was updated with necessary restrictions.”The principal (user or service account) creating or updating a Cloud Run resource now needs explicit permission to access the container image(s).” said a Google Cloud disclosure. “When using Artifact Registry, ensure the principal has the Artifact Registry Reader (roles/artifactregistry.reader) IAM role on the project or repository containing the container image(s) to deploy.”The fix was rolled out to all production on January 28 as a “breaking change,” following a Mandatory Service Announcement sent to affected Project, Folder, and Organization owners during the last week of November 2024, according to Tenable. A breaking change with reference to GCP refers to an update or modification that disrupts existing functionality, requiring users to update their configurations, code, or workflows to maintain compatibility.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3952518/google-fixes-gcp-flaw-that-could-expose-sensitive-container-images.html
