Researchers Disclose Critical Vulnerability in Oracle Cloud Infrastructure
Sep 22, 2022
Researchers have disclosed a new severe Oracle Cloud Infrastructure (OCI) vulnerability that could be exploited by users to access the virtual disks of other Oracle customers. "Each virtual disk in Oracle's cloud has a unique identifier called OCID," Shir Tamari, head of research at Wiz, said in a series of tweets. "This identifier is not considered secret, and organizations do not treat it as such." "Given the OCID of a victim's disk that is not currently attached to an active server or configured as shareable, an attacker could 'attach' to it and obtain read/write over it," Tamari added. The cloud security firm, which dubbed the tenant isolation vulnerability " AttachMe ," said Oracle patched the issue within 24 hours of responsible disclosure on June 9, 2022. Accessing a volume using the CLI without sufficient permissions At its core, the vulnerability is rooted in the fact that a disk could be attached to a compute