The flaw opened a hole in IBM’s serverless Cloud Functions platform, potentially exposing confidential customer data.
Apache and IBM have patched a critical vulnerability that allows attackers to replace a company’s serverless code with their own malicious script.
Once running, the bad code could then be used for a range of nefarious tasks, including extracting confidential customer data such as passwords or credit-card numbers, modifying or deleting data, mining cryptocurrencies or launching a DDoS attack.
The vulnerability originally discovered by researchers at PureSec, was found in Apache OpenWhisk, the open-source serverless platform that IBM uses to run cloud functions. IBM has patched the issue, but other implementations at other vendors could also be flawed.
Serverless computing is a cloud-computing execution model in which cloud providers dynamically allocate machine resources; the name comes from the fact that the actual server management and capacity-planning decisions are completely hidden from the developer or operator.
For More Details :
https://threatpost.com/apache-ibm-patch-critical-cloud-vulnerability/134341/
