This is the first vulnerability in a serverless platform being publicly disclosed
International Business Machines Corporation (IBM) researchers have solved a critical vulnerability present in their cloud functions which, if exploited, would allow malicious hackers to remotely replace the serverless code of the company and install its own code development, as reported by enterprise data protection services experts from the International Institute of Cyber Security.
The vulnerability was identified and disclosed by information technology security investigators in an Israeli information security provider operating without servers. The vulnerability existed in Apache OpenWhisk, an open-source, serverless cloud platform used by thousands of reputable companies around the world, including IBM.
“A hacker who managed to override or modify the code of the serverless function could perform other actions, such as filtering confidential data during subsequent executions, which may belong to other ultimate users” claims the enterprise data protection services team who disclosed the vulnerability.
Identified as CVE-2018-11756 and CVE-2018-11757, the vulnerability is the first publicly disclosed on a serverless platform. Yet there is good news; not only did IBM manage to correct the vulnerability before it was exploited, but the investigators responsible for reporting it also provided the OpenWhisk team with suggestions for solutions to mitigate the risks. As a result, Apache has also released a patch, while researchers suggest that Apache Openwhisk users should upgrade to the latest available version as soon as possible.
“After receiving and validating the details of this flaw, the Apache OpenWhisk team reviewed and introduced a solution that mitigates the risk to users”, as mentioned by the developers of the Apache OpenWhisk project. “We would like to thank the enterprise data protection services experts, as their contribution has helped to make the OpenWhisk platform safer”.
The security of the functions is an important element of serverless computers, so it was mandatory, for both IBM and for Apache OpenWhisk, that these failures were resolved and that the risks were mitigated.