Tenable Research uncovers remote code execution vulnerability in oracle code editor and its integrated services

Tenable has identified a Remote Code Execution (RCE) vulnerability in Oracle Cloud Infrastructure (OCI) Code Editor, a service designed for developers working within Oracle’s Cloud Shell ecosystem. This vulnerability could have allowed attackers to run malicious code on a server without needing direct access.

The RCE vulnerability enables threat actors to silently hijack a victim’s Cloud Shell environment, with just one click by the victim and potentially move across other OCI services. Once compromised, an attacker could execute arbitrary commands, access sensitive credentials, and pivot to other OCI services like Resource Manager, Functions, and Data Science. This could lead to broader system compromise, data exfiltration, or deployment of persistent backdoors, especially if the compromised environment had elevated privileges or access to other critical services.

According to Tenable Research, the main problem was that the Code Editor’s file upload feature didn’t properly check if ...