On today’s reason why organisations should remember that the cloud is just someone else’s servers and should be treated as such:
The team at Wiz.io discovered accidentally that they could attach virtual disks of other customers, just by specifying the OCID (Oracle’s unique identifier) of another disk. OCID’s aren’t considered ‘secrets’.
And on today’s reason why data protection is still key in the cloud, you could get read AND write access to these disks. Thereby compromising all guarantees of data integrity for your virtual disks.
I must say I don’t know what deserves highlighting more, that this vulnerability existed and was discovered by accident, or that Oracle fixed the vulnerability in under 24 hours, both are impressive.
I’m not going to attempt to re-write what is already a brilliant write up by the Wiz team, so for further reading you can see their report here:
As a closing comment however, as this was due to an Oracle API not performing permission verification of requests, this was centrally patched and no customer intervention is required.
You’ll likely hear more about this over the coming days under its name #AttachMe