Select Page

Researchers have disclosed a new severe Oracle Cloud Infrastructure (OCI) vulnerability that could be exploited by users to access the virtual disks of other Oracle customers.

“Each virtual disk in Oracle’s cloud has a unique identifier called OCID,” Shir Tamari, head of research at Wiz, said in a series of tweets. “This identifier is not considered secret, and organizations do not treat it as such.”

“Given the OCID of a victim’s disk that is not currently attached to an active server or configured as shareable, an attacker could ‘attach’ to it and obtain read/write over it,” Tamari added.

The cloud security firm, which dubbed the tenant isolation vulnerability “AttachMe,” said Oracle patched the issue within 24 hours of responsible disclosure on June 9, 2022.

images from Hacker News