Dear Support Team,
I hope this message finds you well.
I am writing to inquire about the responsibility for patching or updating the OpenSSH server to address potential vulnerabilities, specifically in relation to the recent regresshion CVE-2024-6387 issue. Could you please clarify whether it is the client’s responsibility to manage these updates, or if the GCP support team handles them?
Thank you for your assistance.
Best regards,
Hi Meiram,
I’m just a fellow GCP user like you. But from what can infer it depends on the type of the Cloud Services that GCP offers (IaaS, PaaS, etc.) The shared responsibility & shared fate model still applies https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate#shared_responsibility
In Compute Engine we (users) are obligated to update it as soon as the patch become available in Linux Distributions repo. So it is not GCP responsibility to do the update or make the updates available to you. https://cloud.google.com/compute/docs/security-bulletins#gcp-2024-040
While in GKE, GCP directly ask us to the follow the guidelines outlined here https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2024-040-gke
Regards,
Iza