Oracle Cloud admits users could access other customer data



A vulnerability in Oracle Cloud Infrastructure (OCI) could have allowed basically any user to read and write data belonging to any other OCI customer, researchers have claimed.

Experts from cloud security firm Wiz said they stumbled upon the vulnerability when building an OCI connector for their own tech stack, discovering that they could attach other people’s virtual disks to their virtual machine instances. The only thing they’d need is that other person’s storage (opens in new tab) volume Oracle Cloud Identifier, and that the other person’s volume supported multi-attachment (or wasn’t already attached). 



Source link