OpenWhisk at Risk: Critical Bug Leaves IBM Cloud Exposed

IBM and Apache have issued patches for a vulnerability that let attackers overwrite any company's serverless code with malicious content.

Dark Reading Staff, Dark Reading

July 24, 2018

1 Min Read
Dark Reading logo in a gray background | Dark Reading

A vulnerability in Apache OpenWhisk exposed IBM customer data through IBM Cloud Functions, which is one of thousands of services relying on the open source serverless platform. 

Apache and IBM have each issued a patch for the critical vulnerabilities, tracked as CVE-2018-11756 and CVE-2018-11757, which attackers could exploit to replace a company's serverless code with their own malicious code. In doing so, they would be able to leak sensitive customer data, edit or delete files, mine cryptocurrency, or launch a DDoS attack.

The vulnerability was detected by PureSec researchers, who found under certain conditions, a remote hacker could overwrite the source code of a vulnerable function being executed in a runtime container, and control future executions in the same function in the same container.

Read more about how the exploit works and PureSec's suggested fix here.

Horizontal-334031_BH_US18_banners_468x60_non_1.png

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights