News

Kloudle's vulnerability disclosures are now published by OPVD

Kloudle's vulnerability disclosures are now published by OPVD
Richa Nevatia
July 5, 2022

Kloudle would like to share some exciting news today. Two of Kloudle’s vulnerability disclosures have been published by OPVD in the The Open Cloud Vulnerability & Security Issue Database!

The first vulnerability is that AWS RDS does not enforce SSL/TLS encryption. AWS RDS is a managed relational database service that allows users to rapidly set up fully operational instances on the cloud and use them as data sources within applications. AWS RDS Engine configurations are applied via a resource called Parameter group. These parameter groups are engine specific and contain settings that are pre-configured by AWS. During a review of a MySQL RDS Engine, it was noticed that the security setting that forces RDS to only accept encrypted connections from clients was set to null while being unmodifiable. 

The Vulnerability: AWS RDS does not force clients to connect using a secure transport layer

The Mitigation: Fixing the default insecure network connection option for RDS instances

The second vulnerability is the Google Cloud Armor packet size bypass. Google Cloud Armor provides a rule-based policy framework that can be used by customers of the Google Cloud Platform to mitigate various types of common web application attacks. The Cloud Armor service has a documented limitation of 8 KB as the maximum size of web request that it will inspect. The default behaviour of Cloud Armor in this case can allow malicious requests to bypass Cloud Armor and directly reach an underlying application. 

The Vulnerability: Piercing the Cloud Armor - The 8KB bypass in Google Cloud Platform WAF

The Mitigation: A guide to protect against the 8KB WAF limitation in Google Cloud Armor

Kloudle aims to continue bringing these insightful research pieces to develop the nascent Cloud Security industry. You can read some more Insight pieces on the Kloudle Blog here. If you wish to learn more about cloud security, you can head to Kloudle Academy and even subscribe to Academy alerts!

Kloudle's vulnerability disclosures are now published by OPVD
ABOUT THE AUTHOR

Richa Nevatia

Richa is leading the Content Marketing efforts for Kloudle Academy and to help it reach every person who wants to educate themselves about the world of cloud security.

Enjoyed this read?

Subscribe to our newsletter and stay ahead with more great insights and resources on cloud security!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.