Product Status: L1 Terminal Fault

Google Chrome OS (Chromebooks, etc.)

The vast majority of Chrome OS users are unaffected because Chrome OS currently uses virtualization only for running Linux App Containers (aka Termina), which is under development and only available in Beta, Dev, and Canary update channels of Chrome OS.

To check the update status for your specific model,

see this page .

Users who don't use the Linux apps feature don't need to take action at this point.

Beta, Dev, and Canary users concerned about the attack may temporarily stop using Linux App Containers.

Beta, Dev, and Canary users will receive updates as soon as possible through the auto-update mechanism. The status page will be updated to reflect when fixes are available.

Chrome OS 69 Stable will ship with all necessary fixes for safe usage of Linux App Containers.

Google Search Appliance

Google Search Appliance runs only trusted code from Google and is not at risk.

Google Wifi / OnHub

Google Wifi and OnHub run only trusted code from Google and are not at risk.

Google Cloud Dataproc

The infrastructure that runs Google Cloud Dataproc clusters and isolates customer workloads from each other is protected against known attacks.

Cloud Dataproc customers who run multiple, untrusted workloads on the same Cloud Dataproc cluster are vulnerable. In this environment, it may be possible for a malicious workload to observe the memory of the other workloads running on the same VM or for the malicious workload to observe the memory of the guest operating system.

Cloud Dataproc customers who run multiple, untrusted workloads on the same Cloud Dataproc cluster should update these shared clusters to patched images. Customers should subscribe to Dataproc release notes to get notified when patched images are available.

For customers who deploy ephemeral Dataproc clusters on-demand, using the default latest image or specifying a <major>.<minor> image version, new cluster deployments will automatically use the newest patched images as soon as they become available, and no additional customer action is needed.

Customers who have long-lived Dataproc clusters or pin to a specific <major>.<minor>.<patch> version number should unpin and/or redeploy to use the latest patched images.

Google Cloud Functions

The infrastructure that runs Google Cloud Functions and isolates customer execution environments from each other is not at risk.

Google Cloud SQL

The infrastructure that runs Google Cloud SQL isolates database instances from each other is protected against known attacks.

Google Compute Engine

The infrastructure that runs Compute Engine and isolates customer workloads from each other is protected against known attacks.

Compute Engine customers running multi-tenant workloads on a single VM may be vulnerable. In this environment, it may be possible for one tenant to observe the memory of other tenants or the guest operating system itself.

Compute Engine customers running multi-tenant workloads on the same VM should prioritize patching those environments, but as always, all Compute Engine customers are encouraged to follow security best practices when it comes to keeping runtime environments patched and protected against known security vulnerabilities.

See the Compute Engine security bulletin page for guidance on updating your Compute Engine VMs, the list of patched image versions, and links to additional information from operating system providers.

Google Kubernetes Engine

The infrastructure that runs Kubernetes Engine and isolates customer Clusters and Nodes from each other is protected against known attacks.

Kubernetes Engine customers running containers from different customers on the same GKE Node are vulnerable. In this environment, it may be possible for one container to observe the memory of other containers on the same Node or the Node environment itself.

Kubernetes Engine customers running containers from different customers on the same GKE Node should prioritize updating those environments.

Kubernetes Engine customers who use our Container-Optimized OS image, and who have autoupgrade enabled, will be automatically updated to patched versions of our COS image as they become available starting the week of 2018-08-20.

Kubernetes Engine customers who do not have autoupgrade enabled should consider manually upgrading as patched versions of our COS image become available.

See the Kubernetes Engine security bulletin for additional information.