Advertisement
Referred to as #AttachMe and mentioned in Oracle’s July 2022 Critical Patch Update, the vulnerability could have exposed sensitive data to attackers knowing the victim’s Oracle Cloud Identifier (OCID).
“OCI customers could have been targeted by an attacker with knowledge of #AttachMe. Any unattached storage volume, or attached storage volumes allowing multi-attachment, could have been read from or written to as long as an attacker had its Oracle Cloud Identifier (OCID),” Wiz security researcher Elad Gabay explains.
Essentially, because of this vulnerability, cloud isolation in OCI no longer worked, allowing anyone to attach disks to virtual machines in other accounts, without requiring permissions.