2024-07-03 Update: Resolution status updated. The CVE-2024-6387 vulnerability in the OpenSSH package issue was discovered recently

## Issue **2024-07-03 Update**: Resolution status updated. The [CVE-2024-6387](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387) vulnerability in the OpenSSH package issue was discovered recently. GKE clusters used by Cloud Composer environments are impacted by this vulnerability, and Cloud Composer 1 and 2 environments that use Public IP networking are especially vulnerable to the described issue. For more information about CVE-2024-6387, see [Google GKE Security bulletins](https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2024-040-gke). * **Newly created** Composer environments should not be impacted by this issue any more * Composer-owned GKE clusters will be auto-upgraded to newer GKE versions including the fix for [CVE-2024-6387](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387). Other components of Composer environments using older versions of [COS](https://cloud.google.com/compute/docs/security-bulletins#gcp-2024-040) images will also be upgraded. These operations will be done in an expedited manner so some of the update operations might be done outside environment's regular maintenance windows. While Google works on resolving this issue so Composer environments are immune to [CVE-2024-6387](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387), you can disallow SSH to the Cloud Composer's cluster nodes through establishing proper firewall rules on the environment's cluster as described in the Google GKE Security bulletins. Follow the [steps outlined for GKE](https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2024-040-gke).