Amazon Web Services has fixed two flaws affecting AWS Glue and AWS CloudFormation.
The bug in AWS Glue could allow an attacker using the service to create resources and access data of other AWS Glue customers, according to Orca Security.
Orca researchers say it was due to an internal misconfiguration within AWS Glue, which AWS today confirmed it has since fixed.
Glue, which launched in 2017, is a managed serverless data integration service for connecting large databases, allowing developers to extract, transform and load (ETL) for machine-learning jobs.
Orca researchers discovered a Glue feature could be used to gain the credentials to a role within the AWS service’s own account to give an attack access to the internal service’s application programming interface (API).
Using this access with the internal misconfiguration, an attacker could escalate privileges within an account and gain full administrative privileges.
AWS said in a statement that Glue customers don’t need to update systems and emphasized the bug could not have affected AWS customers who don’t use Glue.
“Utilizing an AWS Glue feature, researchers obtained credentials specific to the service itself, and an AWS-internal misconfiguration permitted the researchers to use these credentials as the AWS Glue service,” AWS said.
“There is no way that this could have been used to affect customers who do not use the AWS Glue service.”
Additionally, AWS said it audited Glue logs going back to its launch in 2017 and confirmed that no customer data had been impacted by the flaw since then.
“AWS moved immediately to correct this issue when it was reported. Analysis of logs going back to the launch of the service have been conducted and we have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher,” AWS said.
“No other customer’s accounts were impacted. All actions taken by AWS Glue in a customer’s account are logged in CloudTrail records controlled and viewable by customers.”
Orca found a second bug in AWS that allowed an attacker to compromise a server within CloudFormation in a way that lets them run as an AWS infrastructure service. AWS customers can use CloudFormation to provision and manage cloud resources.
The company identified an XML external entity injection (XXE) vulnerability that allowed it to read files and perform web requests on behalf of the server. The flaw could be used by an attacker to gain “privileged access to any resource in AWS”, according to Orca.
AWS has also remediated this flaw, according to Orca.