Security News > 2023 > May > Severe Flaw in Google Cloud's Cloud SQL Service Exposed Confidential Data
A new security flaw has been disclosed in the Google Cloud Platform's Cloud SQL service that could be potentially exploited to obtain access to confidential data.
"The vulnerability could have enabled a malicious actor to escalate from a basic Cloud SQL user to a full-fledged sysadmin on a container, gaining access to internal GCP data like secrets, sensitive files, passwords, in addition to customer data," Israeli cloud security firm Dig said.
Cloud SQL is a fully-managed solution to build MySQL, PostgreSQL, and SQL Server databases for cloud-based applications.
The multi-stage attack chain identified by Dig, in a nutshell, leveraged a gap in the cloud platform's security layer associated with SQL Server to escalate the privileges of a user to that of an administrator role.
"Gaining access to internal data like secrets, URLs, and passwords can lead to exposure of cloud providers' data and customers' sensitive data which is a major security incident," Dig researchers Ofir Balassiano and Ofir Shaty said.
The disclosure comes as Google announced the availability of its Automatic Certificate Management Environment API for all Google Cloud users to automatically acquire and renew TLS certificates for free.
News URL
https://thehackernews.com/2023/05/severe-flaw-in-google-clouds-cloud-sql.html
Related news
- Google Cloud introduces quantum-safe digital signatures in KMS (source)
- Google Cloud KMS Adds Quantum-Safe Digital Signatures to Defend Against Future Threats (source)
- Google Announces Quantum-Safe Digital Signatures in Cloud KMS, Takes “Post-Quantum Computing Risks Seriously” (source)
- Google Acquires Wiz for $32 Billion in Its Biggest Deal Ever to Boost Cloud Security (source)
- Google to purchase Wiz for $32 billion in cloud security play (source)