A new vulnerability has been disclosed in the Oracle Cloud Infrastructure. According to security researchers at Wiz, the flaw could allow unauthorized access to cloud storage volumes of all users. Therefore, the vulnerability violates cloud isolation. The security flaw has been dubbed AttachMe by researchers and was detailed in an advisory posted by Wiz earlier this week. Within 24 hours of notification, Oracle patched the flaw for all OCI customers without any consumer action required, according to the advisory.
However, before the flaw was patched, OCI customers could have been targeted without any indication of compromise or breach. Any storage volume could have been accessed by an unauthorized party that could have launched a privilege escalation attack for cross-tenant access. The bug highlights how crucial cloud tenant isolation is in cloud infrastructure. Wiz stated in the advisory that customers should not be worried that their sensitive cloud data is accessible by other customers, however, the vulnerability shows that it is possible.