Oracle has refuted allegations of a breach in its public cloud service, asserting that no customer data was compromised despite claims from an individual on a cyber-crime forum. The suspect boasted of stealing security keys and creating a text file on an Oracle Cloud server. Oracle clarified that the published credentials are not genuine and emphasized that no Oracle Cloud customers have lost data. Concerns were raised about potential vulnerabilities within the Oracle Fusion Middleware, which may have been exploited if not patched appropriately.
"There has been no breach of Oracle Cloud," a spokesperson told The Register on Friday. "The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."
That file contains simply the email address of the person attempting to sell what's said to be the stolen Oracle Cloud data.
Infosec outfit CloudSEK reckons that server may not have been patched to close CVE-2021-35587, a known critical vulnerability in Fusion Middleware's Oracle Access Manager.
Exploiting that bug - which can be done over HTTP with no authentication - would potentially give an intruder access to the very kind of information put up for sale this week.
Collection
[
|
...
]