Customers can configure Chronicle to ingest data from customer-owned Cloud Storage buckets using an ingestion feed. Until recently, Chronicle provided a shared service account that customers used to grant permission to the bucket. Because different customers gave the same Chronicle service account permission to their bucket, an exploitation vector existed that allowed one customer's feed to access a different customer's bucket when a feed was being created or modified. This exploitation vector required knowledge of the bucket URI. Now, during feed creation or modification, Chronicle uses unique service accounts for each customer.
After performing an impact analysis, Google Cloud found no current or prior exploitation of this vulnerability. The vulnerability was present in all versions of Chronicle prior to Sept 19, 2023.
Summary (give a brief description of the issue)
Customers can configure Chronicle to ingest data from customer-owned Cloud Storage buckets using an ingestion feed. Until recently, Chronicle provided a shared service account that customers used to grant permission to the bucket. Because different customers gave the same Chronicle service account permission to their bucket, an exploitation vector existed that allowed one customer's feed to access a different customer's bucket when a feed was being created or modified. This exploitation vector required knowledge of the bucket URI. Now, during feed creation or modification, Chronicle uses unique service accounts for each customer.
After performing an impact analysis, Google Cloud found no current or prior exploitation of this vulnerability. The vulnerability was present in all versions of Chronicle prior to Sept 19, 2023.
References (provide links to blogposts, etc.)
https://cloud.google.com/support/bulletins#gcp-2023-028