Tenable has discovered a Remote Code Execution (RCE) vulnerability in Oracle Cloud Infrastructure (OCI) Code Editor, allowing attackers to run malicious code without direct access. The vulnerability allows attackers to silently hijack a victim’s Cloud Shell environment, potentially moving across other OCI services. Once compromised, they can execute commands, access sensitive credentials, and pivot to other OCI services, potentially leading to system compromise, data exfiltration, or persistent backdoor deployment, especially if the compromised environment had elevated privileges or access to other critical services.
According to Tenable Research, the main problem was that the Code Editor’s file upload feature didn’t correctly check if requests were coming from where they should. This made it possible for a bad website to trick a user’s browser into uploading harmful files without the user knowing, as long as they were logged into their Oracle Cloud account. When the victim next opens their Cloud Shell, the malicious code in the uploaded file would automatically run.
This RCE vulnerability seen in OCI exemplifies what Tenable has coined the Jenga® Concept, the tendency for cloud providers to build services on top of one another, thus security risks and weaknesses in one layer cascade into other services.
“Like the game of Jenga®, extracting one block can compromise the integrity of the whole structure,” said Liv Matan, Senior Security Researcher at Tenable. “Cloud services, especially with their deep integrations and shared environments, function similarly; if a hidden integration or shared environment introduces a weakness, those risks can cascade into dependent services, significantly increasing the potential for security breaches. Our OCI research underscores the critical importance of scrutinising these interconnected systems.”
Oracle has already fixed this vulnerability, and no additional action is required from users.
Read the full research findings here.
JENGA® is a registered trademark owned by Pokonobe Associates.
