The Orca Security Research Team announced that they have discovered a critical security issue in AWS Glue, a managed serverless data integration service. The vulnerability allows third parties to create resources and access AWS Glue customers’ data. The flaw is possibly caused by an internal misconfiguration within AWS Glue and it requires multi-step complex processes to be able to exploit.
Allows access to data of other customers
The Orca Security Research Team stated that they have worked with AWS. The cloud giant has confirmed the vulnerability and announced that no customer accounts were inappropriately accessed. The AWS Glue service team reproduced and confirmed the finding within hours and deployed partial mitigation within 24 hours. Within a few days, the cloud giant deployed full mitigation to fix the issue.
According to the report, a feature in AWS Glue could be exploited allowing third parties to obtain credentials to a role within the AWS service’s own account. It provides full access to the internal service API. When combined with an internal misconfiguration, the attacker can further escalate privileges within the account, which allows unrestricted access to full administrative privileges and all resources for the service in the region. Anthony Virtuoso, Principal Engineer of AWS said,
« At AWS, security is everyone’s job and our highest priority. We take vulnerability reports extremely seriously. We spend a lot of time thinking about and implementing security invariants to keep our customers safe, and we appreciate when that work can be informed or improved by independent security research.
Today, Orca Security, a valued AWS partner, helped us detect and mitigate a misconfiguration before it could impact any customers. We greatly appreciate their talent and vigilance, and we would like to thank them for the shared passion of protecting AWS customers through their findings. »