{"id":5392,"date":"2025-07-18T03:03:16","date_gmt":"2025-07-18T03:03:16","guid":{"rendered":"https:\/\/mailitics.com\/index.php\/2025\/07\/18\/tenable-uncovers-security-flaw-in-oci-1180066428\/"},"modified":"2025-07-18T03:03:16","modified_gmt":"2025-07-18T03:03:16","slug":"tenable-uncovers-security-flaw-in-oci-1180066428","status":"publish","type":"post","link":"https:\/\/mailitics.com\/index.php\/2025\/07\/18\/tenable-uncovers-security-flaw-in-oci-1180066428\/","title":{"rendered":"Tenable uncovers security flaw in OCI"},"content":{"rendered":"<p>    Tenable uncovers security flaw in OCI<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<img data-recalc-dims=\"1\" decoding=\"async\" class=\"img-responsive\" src=\"https:\/\/i0.wp.com\/d1v1e13ebw3o15.cloudfront.net\/data\/89340\/pool_and_spa_logo\/..jpg?ssl=1\"> <\/p>\n<p><a href=\"https:\/\/www.tenable.com\/\" target=\"_blank\" rel=\"noopener\">Tenable<\/a> researchers have discovered a new remote code execution vulnerability in Oracle Code Editor that could have allowed attackers to run malicious code on a server without the need for direct access.<\/p>\n<p>The vulnerability enables threat actors to hijack a victim\u2019s Cloud Shell environment, and potentially move across to other Oracle Cloud Infrastructure services.\u00a0Once inside, an attacker could have executed arbitrary commands, accessed sensitive credentials, and pivoted to services such as Resource Manager, Functions and Data Science, opening the threat of broader system compromise or data exfiltration.<\/p>\n<p>According to Tenable, the main issue was that the code editor\u2019s file upload feature didn\u2019t properly check if requests were coming from where they should, an oversight that could have allowed malicious websites to trick a user\u2019s browser into uploading harmful files without the user\u2019s knowledge.<\/p>\n<p>Oracle has remediated the vulnerability after being informed of it, but Tenable Senior Security Researcher Liv Matan said the vulnerability is an example of what her company has termed the Jenga concept of cloud security, or the tendency of providers to build services on top of one another resulting in security risks in one layer cascading into other services.<\/p>\n<p>\u201cSimilar to the game of Jenga, extracting one block can compromise the integrity of the whole structure,\u201d she said. \u201cCloud services, especially with their deep integrations and shared environments, function similarly; if a hidden integration or shared environment introduces a weakness, those risks can cascade into dependent services, significantly increasing the potential for security breaches.<\/p>\n<p>\u201cOur OCI research underscores the critical importance of scrutinising these interconnected systems.\u201d<\/p>\n<p><h9>Image credit: iStock.com\/weerapatkiatdumrong<\/h9><\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/www.technologydecisions.com.au\/content\/cloud-and-virtualisation\/news\/tenable-uncovers-security-flaw-in-oci-1180066428?utm_source=rss\">Go to Technology Decisions<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Tenable uncovers security flaw in OCI Tenable researchers have discovered a new remote code execution vulnerability in Oracle Code Editor that could have allowed attackers to run malicious code on a server without the need for direct access. The vulnerability enables threat actors to hijack a victim\u2019s Cloud Shell environment, and potentially move across to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[44],"tags":[48],"class_list":["post-5392","post","type-post","status-publish","format-standard","hentry","category-technology-decisions","tag-technology-decisions"],"_links":{"self":[{"href":"https:\/\/mailitics.com\/index.php\/wp-json\/wp\/v2\/posts\/5392"}],"collection":[{"href":"https:\/\/mailitics.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mailitics.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mailitics.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mailitics.com\/index.php\/wp-json\/wp\/v2\/comments?post=5392"}],"version-history":[{"count":0,"href":"https:\/\/mailitics.com\/index.php\/wp-json\/wp\/v2\/posts\/5392\/revisions"}],"wp:attachment":[{"href":"https:\/\/mailitics.com\/index.php\/wp-json\/wp\/v2\/media?parent=5392"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mailitics.com\/index.php\/wp-json\/wp\/v2\/categories?post=5392"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mailitics.com\/index.php\/wp-json\/wp\/v2\/tags?post=5392"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}