3.3.3. Cloud, Virtualization, and Supply Chain Vulnerabilities

💡 First Principle: Cloud and virtualization introduce new vulnerability categories that don't exist in traditional on-premises environments. The shared responsibility model means some vulnerabilities are yours to fix, and some are the provider's — but you're always responsible for what you configure. Most cloud breaches result from customer misconfiguration, not provider infrastructure failure.

Cloud-specific vulnerabilities include misconfigured IAM permissions (overly permissive roles that grant admin access when read-only would suffice), public-facing storage buckets (exposing sensitive data to the internet), insecure API endpoints (missing authentication or rate limiting), and weak tenant isolation. Shared tenancy means a flaw in the isolation between customers could expose your data. Cloud security posture management (CSPM) tools automate detection of these misconfigurations.

Virtualization vulnerabilities — VM escape attacks break out of a virtual machine to access the hypervisor or other VMs, violating the fundamental isolation that makes virtualization secure. Resource reuse (where memory or disk from a deleted VM isn't properly wiped) can expose previous tenant data. Hypervisor vulnerabilities are particularly dangerous because they affect all VMs running on that host.

Supply chain vulnerabilities extend to third-party code: vulnerable libraries, dependencies with known CVEs, and service integration weaknesses. Your application inherits the vulnerabilities of every library it imports. A single vulnerable dependency deep in your dependency tree can compromise your entire application. Software Bill of Materials (SBOM) tracks these dependencies.

Platform vulnerabilities affect container orchestration (Kubernetes misconfigurations like exposed dashboards or overly permissive pod security policies), serverless functions (over-permissive execution roles that grant unnecessary AWS/Azure permissions), and infrastructure-as-code templates (hardcoded secrets, overly broad security group rules committed to version control).

⚠️ Exam Trap: VM escape is the most critical virtualization vulnerability — it breaks the fundamental isolation that makes virtualization secure. If a question describes an attacker moving from a VM to the hypervisor, the answer is VM escape.