A vulnerability in Apache OpenWhisk exposed IBM customer data through IBM Cloud Functions, which is one of thousands of services relying on the open source serverless platform.
Apache and IBM have each issued a patch for the critical vulnerabilities, tracked as CVE-2018-11756 and CVE-2018-11757, which attackers could exploit to replace a company's serverless code with their own malicious code. In doing so, they would be able to leak sensitive customer data, edit or delete files, mine cryptocurrency, or launch a DDoS attack.
The vulnerability was detected by PureSec researchers, who found under certain conditions, a remote hacker could overwrite the source code of a vulnerable function being executed in a runtime container, and control future executions in the same function in the same container.
Read more about how the exploit works and PureSec's suggested fix here.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.