A new vulnerability in Oracle Cloud Infrastructure (OCI) would allow unauthorized access to cloud storage volumes of all users, hence violating cloud isolation.
The flaw, discovered by secure cloud experts at Wiz in June and dubbed AttachMe, is now being discussed in a new advisory the company published today.
The company said that within 24 hours of being informed by Wiz, Oracle patched the flaw for all OCI customers without any customer action required.
However, in the technical write–up, Wiz senior software engineer Elad Gabay said that before it was patched, all OCI customers could have been targeted by an attacker with knowledge of the vulnerability.
“Any unattached storage volume, or attached storage volumes allowing multi–attachment, could have been read from or written to as long as an attacker had its Oracle Cloud Identifier (OCID), allowing sensitive data to be exfiltrated or more destructive attacks to be initiated by executable file manipulation,” Gabay explained.
According to the Wiz advisory, potential attacks resulting from a threat actor aware of this flaw included privilege escalation and cross–tenant access.
