https://www.theregister.co.uk/2018/07/24/apache_ibm_cloud_vulnerable/

IBM has patched a critical vulnerability in its Cloud Functions platform that would have allowed miscreants to remotely overwrite customers' code – and execute malicious commands to hijack services.

The flaws, designated CVE-2018-11756 and CVE-2018-11757, are actually present in Apache OpenWhisk, a component Big Blue uses to provide so-called serverless functions. The concept of serverless, essentially, reduces web and backend applications to blocks of code, aka functions, called by applications over the internet. Rather than deploy your code on physical host servers or virtual machines, you break it into functions and run them in the cloud on demand to incoming requests – saving you having to maintain and update the underlying servers, and pay to rent whole servers, hence the term "serverless."