Full Report
Cybersecurity researchers have detailed a now-patched vulnerability in Google Cloud Platform (GCP) that could have enabled an attacker to elevate their privileges in the Cloud Composer workflow orchestration service that's based on Apache Airflow. "This vulnerability lets attackers with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account, which
Analysis Summary
# Vulnerability: Privilege Escalation in Google Cloud Composer (ConfusedComposer)
## CVE Details
- CVE ID: Not explicitly provided in the context.
- CVSS Score: Not explicitly provided in the context.
- CWE: (Related to Improper Access Control/Privilege Escalation)
## Affected Systems
- Products: Google Cloud Platform (GCP) Cloud Composer environments (based on Apache Airflow).
- Versions: Cloud Composer 2 environments prior to version 2.10.2; Cloud Composer 3 environments are explicitly stated to *not* be impacted regarding this specific change.
- Configurations: Environments where the attacker has permission to edit the Cloud Composer environment (`composer.environments.update`).
## Vulnerability Description
This vulnerability, codenamed ConfusedComposer, is a privilege escalation flaw stemming from the way Cloud Composer handles the installation of custom Python Package Index (PyPI) packages. Attackers with edit permissions on a Cloud Composer environment could inject a malicious PyPI package. This package, when installed, could execute arbitrary code within the associated **Cloud Build** instance because the installation process was using the highly-privileged default Cloud Build service account. This grants the attacker elevated access to other GCP services like Cloud Storage and Artifact Registry. This issue is an example of the "Jenga concept," where security flaws are inherited across interconnected cloud services.
## Exploitation
- Status: Implies capability existed, patched before widespread reports/confirmed exploitation in the wild. PoC likely exists internally (Tenable).
- Complexity: Medium (Requires edit permissions on the Composer environment and knowledge of PyPI package installation scripts).
- Attack Vector: Network (via environment modification).
## Impact
- Confidentiality: High (Potential to siphon sensitive data from Cloud Storage/Artifact Registry).
- Integrity: High (Potential to deploy malicious code within CI/CD pipelines).
- Availability: Medium/High (Potential to disrupt services).
## Remediation
### Patches
- Google addressed the issue by eliminating the use of the default **Cloud Build service account** for installing PyPI packages.
- The environment's existing service account is now used instead.
- Cloud Composer 2 environments in versions **2.10.2 and later** have this change applied (as of release notes dated January 15, 2025).
- Cloud Composer 3 environments are not impacted by this specific change.
### Workarounds
- While the article doesn't list vendor-provided workarounds, the core mitigation is ensuring Composer environments are running updated versions (2.10.2+). An immediate user action might involve reviewing and minimizing "edit" permissions on Composer environments if patching is delayed.
## Detection
- Indicators of compromise would likely involve unusual activity originating from the Cloud Build service account within Cloud Storage or Artifact Registry, or unexpected code execution/package installations within the Composer environment's underlying infrastructure.
- Detection methods would focus on monitoring Cloud Build execution logs for anomalous processes spawned during PyPI package installation triggered by Composer environment updates.
## References
- Vendor Advisory: Google Cloud Composer Release Notes (Mentioned April 13, 2025 fix date, January 15, 2025 release note date)
- Research Report: [tenable dot com slash blog slash confusedcomposer-a-privilege-escalation-vulnerability-impacting-gcp-composer] (Defanged)