1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Oracle Cloud admits users could access other customer data

    From TechnologyDaily@1337:1/100 to All on Wed Sep 21 12:15:03 2022
    Oracle Cloud admits users could access other customer data

    Date:
    Wed, 21 Sep 2022 10:51:13 +0000

    Description:
    Lack of permissions verification in the AttachVolume API caused a lot of trouble for Oracle.

    FULL STORY ======================================================================

    A vulnerability in Oracle Cloud Infrastructure (OCI) could have allowed basically any user to read and write data belonging to any other OCI
    customer, researchers have claimed.

    Experts from cloud security firm Wiz said they stumbled upon the
    vulnerability when building an OCI connector for their own tech stack, discovering that they could attach other peoples virtual disks to their virtual machine instances. The only thing theyd need is that other persons storage volume Oracle Cloud Identifier, and that the other persons volume supported multi-attachment (or wasnt already attached).

    With all these things aligned, a potential threat actor would be able to access any sensitive information found on the volume - and to make matters worse, theyd also be able to write over it. Code execution

    Describing the findings in a blog post , Wizs Elad Gabay said the flaw "could be used to manipulate any data on the volume, including the operating system runtime (by modifying binaries, for example), thus gaining code execution
    over the remote compute instance and a foothold in the victim's cloud environment, once the volume is used to boot a machine." Read more

    Oracle is pushing some of its most popular database tools to AWS


    Oracle and Microsoft announce cloud tie-up launch


    These are the best cloud storage oferrings right now

    Oracle moved quickly to remedy the vulnerability. After learning of the flaw, it fixed it within 24 hours, Gabay further stated, with no additional action was needed from the customers.

    The Register spotted a Twitter thread by Wizs head of research, Shir Tamari, in which it was explained that the key problem lay in the lack of permissions verification in the AttachVolume API.

    What we dont know is whether or not anyone managed to abuse the flaw while it was active, and if they did, was it just to steal data, or to distribute malware, or even ransomware. So far, there is no evidence that something like that happened. Weve reached out to Oracle, whose representatives said the company would not be commenting. These are the best cloud storage management services right now

    Via: The Register



    ======================================================================
    Link to news story: https://www.techradar.com/news/oracle-cloud-admits-users-could-access-other-cu stomer-data/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)