Google Cloud Build is Google Cloud Platform’s Continuous Integration and Continuous Delivery (CI/CD) service, and its associated services include ArtifactRegistry, Google Kubernetes Engine (GKE), and App Engine. Researchers have discovered that Google Cloud Build may have a Bad. Build vulnerability, allowing attackers to use the vulnerability to escalate privileges to inject malware and gain unauthorized access.

 

The researchers pointed out that using the default service account (Service Account) and permissions will lead to this risk. This vulnerability can be prevented from being exploited by restricting the key permission cloudbuild.builds.create used by Google Cloud Build through GCP resource Identity and Access Management (IAM).

 

In this regard, Google canceled the logging.privateLogEntries.list permission of the Cloud Build service account to avoid further exploits, but this adjustment does not completely solve this risk.

 

Suggested solution:

1. If Cloud Build / Cloud Build API service is not used, please confirm whether the related Service account and API are closed.

2. If you use this service, you must pay attention to whether logging.privateLogEntries.list has been removed in the Cloud Build service account, and evaluate and remove the permission of cloudbuild.builds.create.

#PCI #PCI DSS #Compliance #Google Cloud #GCP