'CloudImposer' Flaw in Google Cloud Affected Millions of Servers
A remote code execution (RCE) vulnerability, named "CloudImposer," was discovered in Google Cloud Platform's (GCP) Cloud Composer service by researchers at Tenable. This flaw could have allowed attackers to execute a supply chain attack on millions of customer cloud servers by deploying a single malicious Python package. The vulnerability exploited a technique known as dependency confusion, which occurs when a developer's system mistakenly pulls a malicious package from a public repository instead of the intended internal one. Google has since patched the flaw and updated its documentation to recommend safer practices for handling Python package dependencies. Customers are advised to review their environments and ensure they are not using the --extra-index-url argument in Python, which could leave them vulnerable to such attacks. Google has also implemented Tenable's suggestion to use the GCP Artifact Registry's virtual repository to control the Python package manager search order more safely. There is no evidence that the CloudImposer vulnerability was ever exploited, and Google's internal tests suggest that the exploit code would not have run in customer environments due to integration test failures. [View Article](https://www.darkreading.com/cloud-security/cloudimposer-flaw-google-cloud-affected-millions-servers)