Security News > 2022 > September > Researchers Disclose Critical Vulnerability in Oracle Cloud Infrastructure
Researchers have disclosed a new severe Oracle Cloud Infrastructure vulnerability that could be exploited by users to access the virtual disks of other Oracle customers.
"Each virtual disk in Oracle's cloud has a unique identifier called OCID," Shir Tamari, head of research at Wiz, said in a series of tweets.
"Given the OCID of a victim's disk that is not currently attached to an active server or configured as shareable, an attacker could 'attach' to it and obtain read/write over it," Tamari added.
The cloud security firm, which dubbed the tenant isolation vulnerability "AttachMe," said Oracle patched the issue within 24 hours of responsible disclosure on June 9, 2022.
At its core, the vulnerability is rooted in the fact that a disk could be attached to a compute instance in another account via the Oracle Cloud Identifier without any explicit authorization.
"Insufficient validation of user permissions is a common bug class among cloud service providers," Wiz researcher Elad Gabay said.
News URL
https://thehackernews.com/2022/09/researchers-disclose-critical.html
Related news
- New IOCONTROL malware used in critical infrastructure attacks (source)
- Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection (source)
- Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356) (source)
- Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
- Researchers Uncover Nuclei Vulnerability Enabling Signature Bypass and Code Execution (source)
- CISA warns of critical Oracle, Mitel flaws exploited in attacks (source)
- CISA Flags Critical Flaws in Mitel and Oracle Systems Amid Active Exploitation (source)