- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
Critical Vulnerability in Oracle Cloud Infrastructure Allowed Unauthorized Access
A new vulnerability in Oracle Cloud Infrastructure (OCI) would allow unauthorized access to cloud storage volumes of all users, hence violating cloud isolation.
The flaw, discovered by secure cloud experts at Wiz in June and dubbed AttachMe, is now being discussed in a new advisory the company published today.
The company said that within 24 hours of being informed by Wiz, Oracle patched the flaw for all OCI customers without any customer action required.
However, in the technical write–up, Wiz senior software engineer Elad Gabay said that before it was patched, all OCI customers could have been targeted by an attacker with knowledge of the vulnerability.
“Any unattached storage volume, or attached storage volumes allowing multi–attachment, could have been read from or written to as long as an attacker had its Oracle Cloud Identifier (OCID), allowing sensitive data to be exfiltrated or more destructive attacks to be initiated by executable file manipulation,” Gabay explained.
According to the Wiz advisory, potential attacks resulting from a threat actor aware of this flaw included privilege escalation and cross–tenant access.
“We consider both potential attack paths quite feasible given that OCIDs are generally not treated as secrets. Numerous OCIDs of both block volumes and boot volumes of various environments, including those of major companies, can be found via a simple online search.”
According to the cloud security expert, the bug shows how crucial cloud tenant isolation is in any cloud infrastructure.
“Customers expect that their data isn’t accessible by other customers. Yet, cloud isolation vulnerabilities break the walls between tenants,” Gabay said. “This highlights the crucial importance of proactive cloud vulnerability research, responsible disclosure, and public tracking of cloud vulnerabilities to cloud security.”
More information about the patched Oracle vulnerability, including a technical demonstration, is available in Wiz’s technical post.
The disclosure comes days after a report by Snyk revealed almost 80% of organizations suffered a “severe” cloud security incident over the course of the last 12 months.