Tenable reveals RCE flaw in Oracle Cloud editor, highlights risks
Researchers at Tenable identified a flaw in the OCI Code Editor, a tool used by developers working within Oracle's Cloud Shell ecosystem. The vulnerability potentially allowed attackers to remotely execute code in a victim's environment without direct access, simply by tricking a user into clicking a malicious link while logged into their Oracle Cloud account.
RCE vulnerability explained
The flaw, now resolved by Oracle, was caused by insufficient origin checks on the Code Editor's file upload feature. This allowed malicious websites to manipulate a user's browser to upload harmful files to their Oracle Cloud Shell account without their knowledge. When the targeted user subsequently opened their Cloud Shell, the uploaded file could automatically execute malicious commands.
Tenable emphasised the possible consequences of this vulnerability, stating that an attacker could "silently hijack a victim's Cloud Shell environment, with just one click by the victim and potentially move across other OCI services." The ability to execute arbitrary commands from this position could have exposed sensitive credentials and enabled horizontal movement to other services such as Resource Manager, Functions, or Data Science, increasing the scope for system compromise, data theft, or persistent backdoors.
The 'Jenga Concept'
The RCE flaw illustrates broader concerns highlighted by Tenable around the architecture of cloud service providers. Tenable refers to this as the Jenga Concept, a notion capturing the compounding risks when providers build new services on the foundations of existing ones. "Similar to the game of Jenga, extracting one block can compromise the integrity of the whole structure," said Liv Matan, Senior Security Researcher at Tenable.
Matan continued, "Cloud services, especially with their deep integrations and shared environments, function similarly; if a hidden integration or shared environment introduces a weakness, those risks can cascade into dependent services, significantly increasing the potential for security breaches. Our OCI research underscores the critical importance of scrutinizing these interconnected systems."
Potential impact and implications
If exploited, Tenable reports the vulnerability could have allowed attackers to take the following actions: Silently take over a victim's Cloud Shell environment
Run unauthorised code on the victim's Oracle Cloud services
Access sensitive data and secrets within the victim's OCI environment
Pivot into other integrated services such as Resource Manager or Data Science to deploy new resources or exfiltrate data
Oracle has issued a patch to address the issue and no further action is required from users currently, according to Tenable.
Security recommendations
Despite the issue being fixed, Tenable is recommending that organisations take steps to reduce risks from similar vulnerabilities in the future. These include implementing a least privilege model to restrict unnecessary permissions and limit the scope of potential compromises, mapping dependencies and integrations among cloud services to reveal possible attack surfaces, reviewing logs for indicators of compromise, and consistently monitoring for unusual access patterns or unauthorised file modifications.
Matan commented on the wider lesson for cloud security professionals, stating, "This RCE vulnerability found in OCI underscores that cloud security isn't just about reacting to threats, but actively preventing them. As cloud environments become more intricate, security teams must stay ahead, identifying and fixing weaknesses before they can be exploited."
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
3 days ago
- Techday NZ
Tenable One reaches 300 integrations to unify security data
Tenable has announced that its Tenable One Exposure Management Platform now features over 300 validated integrations. The company stated that this milestone establishes Tenable One as the most interconnected exposure management platform currently available, allowing it to serve as what it describes as a central hub for security data and analytics integration. Fragmentation challenge With enterprises on average deploying 83 distinct cybersecurity tools according to industry research, organisations are facing fragmented and siloed views of their attack surfaces. This environment creates blind spots that attackers can target, and results in security teams spending significant time reconciling separate streams of data. Tenable's position is that Tenable One solves this challenge by connecting disparate parts of the security stack, enabling a more unified approach to exposure management. The platform's additions bring together data across various tools and systems, which the company positions as a measure towards improved risk reduction and visibility. "A closed-off platform isn't just an inconvenience - it's a security risk, and Tenable is leading the charge to tear down these walls," said Eric Doerr, chief product officer at Tenable. "Reaching over 300 integrations is a fundamental shift in cyber control. We're giving our customers the power to see everything, connect everything, and manage their exposure from a single, unified platform without having to replace the tools they already trust. This is the future of cybersecurity, and Tenable is delivering it today." Centralising risk view The Tenable One platform is designed to unify data from a range of technology sources, including endpoint detection and response (EDR), cloud native application protection platforms (CNAPP), asset inventory, and privileged access management (PAM) tools. By integrating third-party data, Tenable One aims to provide a contextualised view of risk, which it enhances with threat intelligence and business context to help security teams identify blind spots. The platform integrates with IT service management systems, communication platforms, security information and event management (SIEM) tools, and patch management products. Tenable says these integrations help automate remediation workflows and improve cross-team coordination, reducing the time needed to resolve exposures. Customer adoption and measurable impacts Tenable reports that approximately two-thirds of Tenable One customers currently use its integrations, including what it refers to as some of the most security-mature organisations. Customers have reported up to ten times greater visibility and a 75 percent reduction in data aggregation efforts according to the company, freeing resources for preventative security operations. To support future growth of the ecosystem, Tenable has announced a universal integrations connector will be introduced for the platform later in the year. This tool will enable customers and partners to develop their own integrations, allowing for secure connection of custom applications and additional security tools to Tenable One. Partner perspectives Partners have commented on the role of integration in enhancing security outcomes. "Effective security requires collaboration, and our partnership with Tenable exemplifies this approach in action. By integrating Tenable One's rich exposure data directly into Splunk Cloud Platform, Splunk Enterprise Security, and SOAR, we are providing our joint customers with unparalleled context to detect and respond to threats faster than ever before. The breadth of Tenable's ecosystem is a massive force multiplier for security operations teams." – Gretchen O'Hara, Vice President, Worldwide Channels & Alliances, Splunk Other security vendors referenced the importance of a unified approach to risk management across different business functions. "The traditional boundaries between security and operational teams have blurred, and meaningful risk reduction demands coordinated action across the business. The deep integration between Tenable One and the ServiceNow AI Platform helps close the gap between vulnerability identification and enterprise-scale remediation. Together, we're enabling customers to accelerate response and embed risk reduction into the fabric of how work gets done, ensuring critical exposures are addressed before they can be exploited." – Lou Fiorello, GVP and GM of Security and Risk Products, ServiceNow "Privileged accounts are a top target for attackers, and understanding their exposure is critical. The integration between our PAM solution and Tenable One gives our joint customers a powerful advantage. By combining Tenable's deep vulnerability insights with our privileged access controls, organizations can see exactly where their most sensitive accounts are at risk and take immediate action to secure them. This unified approach is essential for preventing privilege escalation and stopping breaches." – Joanne Wu, Vice President, Business Development, CyberArk An IBM report, referenced by Tenable, suggests that the use of comprehensive security platforms can provide business value by improving visibility and response times across complex security environments. Follow us on: Share on:
Techday NZ
3 days ago
- Techday NZ
Azul launches Managed Services Programme for Java insights
Azul has introduced a Managed Services Provider Programme for its Azul Intelligence Cloud, enabling managed service providers to integrate Java software asset management, vulnerability detection and code inventory capabilities into their service offerings. The new programme allows partners to utilise sublicensing and white-label rights for Azul Intelligence Cloud's Software-as-a-Service tools - JVM Inventory, Azul Vulnerability Detection, and Code Inventory. Through these tools, MSPs can offer detailed analytics and insights on their customers' Java environments, including active Java Virtual Machines from Oracle, Azul, and any OpenJDK distribution. Partners will be equipped to deliver reports and analyses that provide customers with greater visibility into Oracle Java license management, application security vulnerabilities and opportunities to streamline code maintenance. The solution is designed to help organisations reduce non-compliant licensing risks and improve their security posture without needing to deploy or manage new tools themselves. Features of the programme The Managed Services Provider Programme permits channel and services partners to deliver Java license, security and efficiency insights as part of their broader managed service packages. Under the agreement, MSPs create a secure, tenant-specific Intelligence Cloud environment for each end customer. Partners can then manage onboarding, deploy agents, oversee data collection, configure alerts and generate scheduled reports - all under their own brand, with results presented as "Powered by Azul." Through the service, partners can bundle Java license compliance advisories, application modernisation initiatives and managed DevOps services, adapting to varying service delivery and revenue models. The aim is to provide end customers with ongoing assurance of compliance and security with minimal operational involvement on the customer's part. Evan Boyd, Managing Director of Software Licensing Consultants, highlighted the visibility and operational benefits provided by the solution: "Azul Intelligence Cloud lets us see every JVM our customers use and depend on - whether it's Oracle, Azul, or any other OpenJDK distribution - and immediately understand compliance or security gaps. Embedding Intelligence Cloud into our managed service portfolio, particularly the annual Java advisory services we provide, means we can deliver faster, more accurate license reconciliation and real-time compliance for our customers while removing the operational burden." Reducing risk and false positives Azul has outlined a range of capabilities available through the Intelligence Cloud, including continuous runtime detection of all JVMs - covering vendor, version, installation and application details - which helps pinpoint Oracle JVMs subject to commercial licensing. This data can be attributed to the responsible teams and applications to ensure license compliance. Azul Vulnerability Detection makes use of class-level runtime data to reduce security vulnerability false positives by up to 99%, enabling MSPs to focus on actionable security risks. The Code Inventory feature helps identify unused and redundant Java code, allowing partners to offer advice on code base modernisation and maintenance. The detection of obsolete code can result in efficiency improvements and cost savings, and according to Azul, advisory services delivered through the programme could enable developers to reallocate as much as 40% of their time to other business priorities due to reduced code maintenance burdens. Because MSPs manage deployment, data gathering and insight delivery, clients are spared the complexity of operating additional software consoles, and are instead provided with actionable reporting about their Java estate health and risks. Partners and benefits The managed delivery approach is intended to simplify how customers access continuous insights into Java usage, compliance, security incidents and code efficiency - potentially supporting organisations in lowering audit exposure and licensing costs, bolstering security and reclaiming developer productivity. Simon Taylor, Vice President of Global Channel and Alliances at Azul, described the company's intent behind the programme: "Java estates continue to expand across a myriad of deployment environments, and the cost, time and resources required to get the right licensing and security insights for compliance-oriented decision making can be enormous. By giving partners full, managed access to Azul Intelligence Cloud, we're equipping them to deliver turnkey services where they can put clear, actionable reporting and insights into the hands of their customers' decision makers. Ultimately, this mitigates license audit risk and cost, surfaces critical vulnerabilities proactively and reclaims developer capacity for their customers."
Techday NZ
5 days ago
- Techday NZ
Tenable adds AI to VPR for sharper, real-time risk detection
Tenable has announced enhancements to its Vulnerability Priority Rating (VPR), focusing on precise risk identification and remediation for security teams. The updated VPR, now driven by generative artificial intelligence, provides organisations with contextual threat intelligence and real-time prioritisation to highlight vulnerabilities that pose the most significant risk to business operations. The changes aim to address longstanding challenges in vulnerability management. Sharper risk focus The company's VPR was first introduced in 2019 as a counterpoint to the broad scoring provided by the Common Vulnerability Scoring System (CVSS). While CVSS designates approximately 60% of vulnerabilities as high or critical, the original VPR narrowed the focus to just 3%. With the latest enhancements, Tenable reports that only 1.6% of vulnerabilities are now marked as representing genuine business risk, supported by real-time data and improved analytics. Jorge Orchilles, Senior Director, Readiness and Proactive Security at Verizon, described the practical impact that targeted vulnerability data has had on operational efficacy. "Our biggest problem was noise. We had thousands of vulnerabilities, and no clear way to know which ones posed a genuine threat," said Orchilles. "Tenable VPR changed that by showing us what attackers are actually exploiting right now. It lets us focus our resources on the handful of issues that truly matter, which has made a real, measurable difference in how quickly we can get critical patches out." AI-driven insights and explainability The enhancements are underpinned by generative AI, which produces tailored threat summaries and remediation advice. VPR's AI-powered insights are designed to help users quickly interpret why a particular vulnerability matters, its weaponisation by threat actors, and what actions are immediately necessary to mitigate risk. The technology delivers instant clarity to enable faster remediation and more strategic use of resources. Eric Doerr, Chief Product Officer at Tenable, outlined the strategic value of these new capabilities for organisations managing cyber risk. "We're taking our game-changing Tenable VPR to the next level with these AI-powered enhancements," said Doerr. "Tenable VPR brings an unmatched precision and depth of threat intelligence, context and explainability to cyber operations. With these critical insights at their fingertips, organisations can clearly visualise why an exposure matters, where they are vulnerable and how to close their priority risks." Industry and regional context A key feature of the updated VPR is its ability to apply industry- and region-specific threat context. Enhanced filtering, querying and use of metadata enable organisations to refine vulnerability prioritisation by relevance to their sector or area of operation. This approach ensures that security teams can address the exposures most relevant to their business environment, rather than relying on generic risk scores. According to the company, these changes are expected to support reduced mean-time-to-remediation and more strategic alignment between cybersecurity efforts and broader organisational goals. By providing more precise, context-rich data, Tenable aims to help organisations allocate security resources where they have the greatest impact. The latest iteration of Tenable's VPR builds on its previous reputation for prioritising threats and reducing the noise associated with vulnerability management. Through the addition of AI-driven explainability and tailored risk measures, the update is intended to allow cybersecurity and risk management teams to respond faster and more effectively to emerging threats. Follow us on: Share on:
