Oracle Java Cloud Service Vulnerabilities Publicly Disclosed

The New Acunetix V12 Engine


Security researches from the Polish firm Security Explorations have released a massive slew of PoC code and technical details on 30 Oracle Java Cloud Service Vulnerabilities.

Java Cloud Vulnerabilities

It seems like they had already reported them to Oracle, but weren’t happy with how things were handled, so have decided to go public with the weaknesses. They gave them a fair amount of time too, over 2 months to address the issues in the cloud data centers.

As a fairly new service though, it seems Oracle is having some issues with policies and handling incidents like this for their cloud service.

Security researchers released technical details and proof-of-concept code for 30 security issues affecting Oracle’s Java Cloud Service, some of which could allow attackers to compromise business-critical Java applications deployed on it.

Researchers from Polish security firm Security Explorations, who found many Java vulnerabilities in the past, decided to publicly disclose the Java Cloud Service security weaknesses because they weren’t satisfied with how Oracle handled their private report.

“Two months after the initial report, Oracle has not provided information regarding successful resolution of the reported vulnerabilities in their commercial cloud data centers (US1 and EMEA1 respectively),” Adam Gowdiak, the CEO and founder of Security Explorations, said Wednesday via email.

“Instead, a year and a half after the commercial availability of the service, Oracle communicates that it is still working on cloud vulnerability handling policies,” he said. “Additionally, the company openly admits that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future.”

The Oracle Java Cloud Service allows customers to run Java applications on WebLogic server clusters in data centers operated by Oracle. The service provides “enterprise security, high availability, and performance for business-critical applications,” Oracle says on its website.

According to a disclosure timeline published by Security Explorations, the company notified Oracle of 28 security issues on Jan. 31 and another two issues on Feb. 2.


It seems like Oracle has a fair amount of security measures built into the Java cloud (whitelisting, sandboxes etc) – but they don’t work properly. Which in my view, is often more dangerous than having none at all.

If people know there are no security measures, they will act and configure accordingly – especially for tech-centric platforms like this. But when the vendor, in this case Oracle, claims there are strong security measures in place – people will tend to relax their own implementation a little.

The reported issues include bypasses of the Java security sandbox, bypasses of the Java API whitelisting rules, the use of shared WebLogic server administrator passwords, the availability of security-sensitive plaintext user passwords in Policy Store, the use of outdated Java SE software on the service that was lacking around 150 security fixes, and issues that enable a remote code execution attack against a WebLogic server instance used by other Oracle Java Cloud users.

“We found a way for a given user of Oracle Java Cloud service to gain access to applications and data of another user of the service in the same regional data center,” Gowdiak said. “By access we mean the possibility to read and write data, but also execute arbitrary (including malicious) Java code on a target WebLogic server instance hosting other users’ applications; all with Weblogic server administrator privileges. That alone undermines one of key principles of a cloud environment — security and privacy of users data.”

Potential attackers only need one-time access to the service to learn its specifics and can later break into all Java Cloud user accounts from the public Internet, Gowdiak said. Attacks can also be carried out from trial accounts because there’s no separation between trial users and paying customers in the regional data centers, he said.

Oracle confirmed the 30 vulnerabilities on Feb. 12, but failed to provide Security Explorations with a monthly report on their status in March, as it had been agreed, Gowdiak said.

They are some quite serious issues too, allowed users to gain access to userspace of another user in the same regional DC. Oracle has confirmed the vulnerabilities, but as of yet – has failed to provide any status updates regarding fixes/improvements/patches etc.

The attacks can also be carried out from a trial user account as there is no separation between trial users and paying customers. It seems like a generally poor architecture and sloppy design by Oracle – I hope this makes them really step up their game.

Source: Network World

Posted in: Exploits/Vulnerabilities, Web Hacking

, , , ,


Latest Posts:


testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.


One Response to Oracle Java Cloud Service Vulnerabilities Publicly Disclosed

  1. scamer April 4, 2014 at 5:38 pm #

    I love ur job n how far canit take me to learn?