GRC Store

Search / finos-ccc/ccc.vm.th / v2026.06-rc3

Release · v2026.06-rc3

FINOS-CCC/CCC.VM.TH Threat Catalog

FINOS-CCC/CCC.VM.TH

Threats for Virtual Machines technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.vm.th --tag v2026.06-rc3
Coordinate
oci.grc.store/finos-ccc/ccc.vm.th:v2026.06-rc3
Manifest digest
sha256:ab53f2d85e34bd77922c7e6d66a23162e70c8b4c74f0291b311d56a037a0c3f5

Provenance

1 layer
Digest Media type Size
708f49908978… application/vnd.gemara.artifact.v1+yaml 8.1 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.VM.TH",
            "type": "ThreatCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.vm.th",
            "tag": "v2026.06-rc3"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "2",
          "GITHUB_RUN_ID": "26768391088",
          "GITHUB_SHA": "24594e28430c12318cacffe7fdda6a3ea272d975",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/compute/virtual-machines/threats.yaml",
            "uri": "file://artifacts/compute/virtual-machines/threats.yaml",
            "digest": {
              "sha256": "708f499089783cb5e705937407cd8f03a238a8c1617fdb96e9eba28b33a21120"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@24594e28430c12318cacffe7fdda6a3ea272d975",
            "digest": {
              "gitCommit": "24594e28430c12318cacffe7fdda6a3ea272d975"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26768391088",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26768391088-2",
          "startedOn": "2026-06-01T16:43:42.720999313Z",
          "finishedOn": "2026-06-01T16:43:42.903457794Z"
        },
        "byproducts": [
          {
            "name": "threats.yaml",
            "digest": {
              "sha256": "708f499089783cb5e705937407cd8f03a238a8c1617fdb96e9eba28b33a21120"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "threats.yaml",
      "type": "ThreatCatalog",
      "id": "CCC.VM.TH",
      "role": "artifact"
    }
  ]
}

CCC Virtual Machines Threats

Threats for Virtual Machines technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.VM.TH
Version
v2026.06-rc3
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Resource Management

The Resource Management group covers entries related to the lifecycle, configuration, and operational integrity of cloud resources. This includes resource exhaustion, tag manipulation, version rollback, scaling, and cost management.

  1. CCC.VM.TH01 Images Contain Vulnerabilities

    Virtual machine images may include outdated software, insecure configurations, or secrets. Use of such images can introduce vulnerabilities into environments where they are deployed.

    Capabilities
    • CCC.VM.Capabilities
      • CCC.VM.CP11

  2. CCC.VM.TH04 Instance Templates Propagate Insecure Defaults

    Instance templates may contain hardcoded credentials, open ports, or insecure configurations. When reused across deployments, these templates can replicate vulnerabilities at scale.

    Capabilities
    • CCC.VM.Capabilities
      • CCC.VM.CP18

  3. CCC.VM.TH07 Resource Starvation Through Preemptible (spot) VM Termination

    Workloads running on preemptible (spot) instances may experience unexpected termination by the cloud provider with minimal notice. This can result in workload instability, leading to service degradation or denial-of-service if critical processes are scheduled on such VMs, potentially impacting system reliability and availability.

    Capabilities
    • CCC.VM.Capabilities
      • CCC.VM.CP06

  4. CCC.VM.TH10 Auto-Scaling Abuse for Resource Exhaustion

    Automated horizontal scaling mechanisms may be manipulated through forced load generation, such as distributed denial-of-service events, triggering excessive VM creation. This can lead to billing anomalies, service instability, or disruption of resource quotas, potentially impacting cost management and service availability.

    Capabilities
    • CCC.VM.Capabilities
      • CCC.VM.CP09

  5. CCC.VM.TH11 VM Image Tampering or Poisoning

    Virtual machine images may be created or modified to include backdoors, malware, or misconfigurations. The deployment of compromised images can propagate threats across cloud infrastructure, potentially affecting data integrity, confidentiality, and system reliability.

    Capabilities
    • CCC.VM.Capabilities
      • CCC.VM.CP10

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.VM.TH02 Instance Metadata is Unprotected

    Instance metadata services may be exposed within virtual machines without appropriate access controls, allowing unauthorized retrieval of sensitive configuration details or temporary credentials.

    Capabilities
    • CCC.VM.Capabilities
      • CCC.VM.CP16

  2. CCC.VM.TH06 Remote Access Interfaces Are Insufficiently Restricted

    Virtual machine instances may expose remote access methods such as SSH or RDP without proper access controls or network restrictions, allowing unintended access to administrative interfaces.

    Capabilities
    • CCC.VM.Capabilities
      • CCC.VM.CP22

  3. CCC.VM.TH09 Misconfigured Vertical Scaling Leads to Privilege Escalation

    Inadequate permissions or automation logic in vertical scaling processes may allow unauthorized resource escalation, such as adding CPUs or memory. This can result in elevated access rights, increased computational capacity for unintended actions, or unplanned cost increases, potentially affecting system security and operational control.

    Capabilities
    • CCC.VM.Capabilities
      • CCC.VM.CP08

Compute

The Compute group covers entries related to processing, execution, and runtime infrastructure. This includes CPU, memory, storage allocation, network ports, command-line interfaces, and elastic scaling.

  1. CCC.VM.TH03 Bootstrap Scripts Introduce Unintended Behavior

    Bootstrap scripts executed at startup may include unvalidated commands or configuration changes. If not securely managed, these scripts can modify instance behavior in unexpected or insecure ways.

    Capabilities
    • CCC.VM.Capabilities
      • CCC.VM.CP19

Networking

The Networking group covers entries related to network infrastructure, connectivity, and traffic management. This includes virtual networks, subnets, load balancing, DNS, routing, peering, and network-level access controls.

  1. CCC.VM.TH05 Network Access Rules Allow Unintended Communication

    Inadequately scoped network access rules may permit communication between virtual machines and untrusted networks or services, increasing exposure to unauthorized access and lateral movement.

    Capabilities
    • CCC.Core.Capabilities
      • CCC.Core.CP23

Data Resilience

The Data Resilience group covers entries related to ensuring data availability, integrity, and sovereignty across its lifecycle. This includes replication, backup, recovery, region restrictions, and protection against data loss or corruption.

  1. CCC.VM.TH08 Co-Residency Risk on Non-Dedicated Infrastructure

    Virtual machines operating on shared infrastructure, rather than dedicated instances, may be exposed to increased risk of side-channel or cross-VM activities. This can result in data leakage or memory scraping, potentially compromising data confidentiality and system integrity.

    Capabilities
    • CCC.VM.Capabilities
      • CCC.VM.CP07