Researchers publicly disclose vulnerabilities in Oracle Java Cloud Service

The flaws could allow attackers to break into Java applications hosted on the service, researchers from Security Explorations said

Security researchers released technical details and proof-of-concept code for 30 security issues affecting Oracle's Java Cloud Service, some of which could allow attackers to compromise business-critical Java applications deployed on it.

Researchers from Polish security firm Security Explorations, who found many Java vulnerabilities in the past, decided to publicly disclose the Java Cloud Service security weaknesses because they weren't satisfied with how Oracle handled their private report.

"Two months after the initial report, Oracle has not provided information regarding successful resolution of the reported vulnerabilities in their commercial cloud data centers (US1 and EMEA1 respectively)," Adam Gowdiak, the CEO and founder of Security Explorations, said Wednesday via email.

"Instead, a year and a half after the commercial availability of the service, Oracle communicates that it is still working on cloud vulnerability handling policies," he said. "Additionally, the company openly admits that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future."

The Oracle Java Cloud Service allows customers to run Java applications on WebLogic server clusters in data centers operated by Oracle. The service provides "enterprise security, high availability, and performance for business-critical applications," Oracle says on its website.

According to a disclosure timeline published by Security Explorations, the company notified Oracle of 28 security issues on Jan. 31 and another two issues on Feb. 2.

The reported issues include bypasses of the Java security sandbox, bypasses of the Java API whitelisting rules, the use of shared WebLogic server administrator passwords, the availability of security-sensitive plaintext user passwords in Policy Store, the use of outdated Java SE software on the service that was lacking around 150 security fixes, and issues that enable a remote code execution attack against a WebLogic server instance used by other Oracle Java Cloud users.

"We found a way for a given user of Oracle Java Cloud service to gain access to applications and data of another user of the service in the same regional data center," Gowdiak said. "By access we mean the possibility to read and write data, but also execute arbitrary (including malicious) Java code on a target WebLogic server instance hosting other users' applications; all with Weblogic server administrator privileges. That alone undermines one of key principles of a cloud environment -- security and privacy of users data."

Potential attackers only need one-time access to the service to learn its specifics and can later break into all Java Cloud user accounts from the public Internet, Gowdiak said. Attacks can also be carried out from trial accounts because there's no separation between trial users and paying customers in the regional data centers, he said.

Oracle confirmed the 30 vulnerabilities on Feb. 12, but failed to provide Security Explorations with a monthly report on their status in March, as it had been agreed, Gowdiak said.

The nature of the issues identified indicates that the service was not subjected to a thorough security review and penetration test prior to being publicly launched, Gowdiak said. The vulnerabilities also expose a weak understanding of the Java security model and attack techniques by Oracle engineers, he said.

In an email sent to the Full Disclosure security mailing list Tuesday, the Security Explorations researchers encouraged Oracle Java Cloud customers with accounts in the US1 or EMEA1 centers to request refunds based on unsatisfactory security levels.

Oracle did not immediately respond to a request for comment Wednesday.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags online safetysecuritySecurity Explorationsdevelopment platformsManaged ServicesSoftware as a servicecloud computingExploits / vulnerabilitiesinternetOracleintrusion

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?