• EN

Oracle Cloud Infrastructure - #AttachMe Cross-Tenant Vulnerability Identified & Patched

  • 20 September 2022
  • 4 comments
  • 47 views
MicoolPaul
Userlevel 7
Badge +20

On today’s reason why organisations should remember that the cloud is just someone else’s servers and should be treated as such:

The team at Wiz.io discovered accidentally that they could attach virtual disks of other customers, just by specifying the OCID (Oracle’s unique identifier) of another disk. OCID’s aren’t considered ‘secrets’.

And on today’s reason why data protection is still key in the cloud, you could get read AND write access to these disks. Thereby compromising all guarantees of data integrity for your virtual disks.

 

I must say I don’t know what deserves highlighting more, that this vulnerability existed and was discovered by accident, or that Oracle fixed the vulnerability in under 24 hours, both are impressive.

 

I’m not going to attempt to re-write what is already a brilliant write up by the Wiz team, so for further reading you can see their report here:

 

https://www.wiz.io/blog/attachme-oracle-cloud-vulnerability-allows-unauthorized-cross-tenant-volume-access

 

As a closing comment however, as this was due to an Oracle API not performing permission verification of requests, this was centrally patched and no customer intervention is required.

You’ll likely hear more about this over the coming days under its name #AttachMe

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social

4 comments

Link State
Userlevel 7
Badge +9

serious security breach 😱,thx for sharing @MicoolPaul ;)

Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104 - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)
Chris.Childerhose
Userlevel 7
Badge +20

Amazing that the big cloud vendors can have vulnerabilities too.  Thanks for sharing this as it was an interesting read for sure.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
regnor
Userlevel 7
Badge +14

Such incidents make you lose the trust in public clouds or shared environments. Never should anyone besides you be able to access your data. Fortunately they've fixed it very fast and hopefully this was never used by any bad actors.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
dips
Userlevel 7
Badge +7

Makes you wonder what other vulnerabilities have still not come to light. Also worth encrypting disks where possible so even if some unauthorised  party got hold of it, they would not be able to access the data. Thanks for sharing @MicoolPaul 

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2023 | www.dipen.co.uk

Comment


Terms & Conditions