Researchers from Polish security firm Security Explorations, who found many Java vulnerabilities in the past, decided to publicly disclose the Java Cloud Service security weaknesses because they weren’t satisfied with how Oracle handled their private report.
“Two months after the initial report, Oracle has not provided information regarding successful resolution of the reported vulnerabilities in their commercial cloud data centers (US1 and EMEA1 respectively),” Adam Gowdiak, the CEO and founder of Security Explorations, said Wednesday via email.
“Instead, a year and a half after the commercial availability of the service, Oracle communicates that it is still working on cloud vulnerability handling policies,” he said. “Additionally, the company openly admits that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future.”
The Oracle Java Cloud Service allows customers to run Java applications on WebLogic server clusters in data centers operated by Oracle. The service provides “enterprise security, high availability, and performance for business-critical applications,” Oracle says on its website.
According to a disclosure timeline published by Security Explorations, the company notified Oracle of 28 security issues on Jan. 31 and another two issues on Feb. 2.
The reported issues include bypasses of the Java security sandbox, bypasses of the Java API whitelisting rules, the use of shared WebLogic server administrator passwords, the availability of security-sensitive plaintext user passwords in Policy Store, the use of outdated Java SE software on the service that was lacking around 150 security fixes, and issues that enable a remote code execution attack against a WebLogic server instance used by other Oracle Java Cloud users.
“We found a way for a given user of Oracle Java Cloud service to gain access to applications and data of another user of the service in the same regional data center,” Gowdiak said. “By access we mean the possibility to read and write data, but also execute arbitrary (including malicious) Java code on a target WebLogic server instance hosting other users’ applications; all with Weblogic server administrator privileges. That alone undermines one of key principles of a cloud environment — security and privacy of users data.”
Potential attackers only need one-time access to the service to learn its specifics and can later break into all Java Cloud user accounts from the public Internet, Gowdiak said. Attacks can also be carried out from trial accounts because there’s no separation between trial users and paying customers in the regional data centers, he said.
Oracle confirmed the 30 vulnerabilities on Feb. 12, but failed to provide Security Explorations with a monthly report on their status in March, as it had been agreed, Gowdiak said.
The nature of the issues identified indicates that the service was not subjected to a thorough security review and penetration test prior to being publicly launched, Gowdiak said. The vulnerabilities also expose a weak understanding of the Java security model and attack techniques by Oracle engineers, he said.
In an email sent to the Full Disclosure security mailing list Tuesday, the Security Explorations researchers encouraged Oracle Java Cloud customers with accounts in the US1 or EMEA1 centers to request refunds based on unsatisfactory security levels.
Oracle did not immediately respond to a request for comment Wednesday.