Oracle Java Cloud Service Vulnerabilities Publicly Disclosed


Security researches from the Polish firm Security Explorations have released a massive slew of PoC code and technical details on 30 Oracle Java Cloud Service Vulnerabilities.

Java Cloud Vulnerabilities

It seems like they had already reported them to Oracle, but weren’t happy with how things were handled, so have decided to go public with the weaknesses. They gave them a fair amount of time too, over 2 months to address the issues in the cloud data centers.

As a fairly new service though, it seems Oracle is having some issues with policies and handling incidents like this for their cloud service.

Security researchers released technical details and proof-of-concept code for 30 security issues affecting Oracle’s Java Cloud Service, some of which could allow attackers to compromise business-critical Java applications deployed on it.

Researchers from Polish security firm Security Explorations, who found many Java vulnerabilities in the past, decided to publicly disclose the Java Cloud Service security weaknesses because they weren’t satisfied with how Oracle handled their private report.

“Two months after the initial report, Oracle has not provided information regarding successful resolution of the reported vulnerabilities in their commercial cloud data centers (US1 and EMEA1 respectively),” Adam Gowdiak, the CEO and founder of Security Explorations, said Wednesday via email.

“Instead, a year and a half after the commercial availability of the service, Oracle communicates that it is still working on cloud vulnerability handling policies,” he said. “Additionally, the company openly admits that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future.”

The Oracle Java Cloud Service allows customers to run Java applications on WebLogic server clusters in data centers operated by Oracle. The service provides “enterprise security, high availability, and performance for business-critical applications,” Oracle says on its website.

According to a disclosure timeline published by Security Explorations, the company notified Oracle of 28 security issues on Jan. 31 and another two issues on Feb. 2.


It seems like Oracle has a fair amount of security measures built into the Java cloud (whitelisting, sandboxes etc) – but they don’t work properly. Which in my view, is often more dangerous than having none at all.

If people know there are no security measures, they will act and configure accordingly – especially for tech-centric platforms like this. But when the vendor, in this case Oracle, claims there are strong security measures in place – people will tend to relax their own implementation a little.

The reported issues include bypasses of the Java security sandbox, bypasses of the Java API whitelisting rules, the use of shared WebLogic server administrator passwords, the availability of security-sensitive plaintext user passwords in Policy Store, the use of outdated Java SE software on the service that was lacking around 150 security fixes, and issues that enable a remote code execution attack against a WebLogic server instance used by other Oracle Java Cloud users.

“We found a way for a given user of Oracle Java Cloud service to gain access to applications and data of another user of the service in the same regional data center,” Gowdiak said. “By access we mean the possibility to read and write data, but also execute arbitrary (including malicious) Java code on a target WebLogic server instance hosting other users’ applications; all with Weblogic server administrator privileges. That alone undermines one of key principles of a cloud environment — security and privacy of users data.”

Potential attackers only need one-time access to the service to learn its specifics and can later break into all Java Cloud user accounts from the public Internet, Gowdiak said. Attacks can also be carried out from trial accounts because there’s no separation between trial users and paying customers in the regional data centers, he said.

Oracle confirmed the 30 vulnerabilities on Feb. 12, but failed to provide Security Explorations with a monthly report on their status in March, as it had been agreed, Gowdiak said.

They are some quite serious issues too, allowed users to gain access to userspace of another user in the same regional DC. Oracle has confirmed the vulnerabilities, but as of yet – has failed to provide any status updates regarding fixes/improvements/patches etc.

The attacks can also be carried out from a trial user account as there is no separation between trial users and paying customers. It seems like a generally poor architecture and sloppy design by Oracle – I hope this makes them really step up their game.

Source: Network World

Posted in: Exploits/Vulnerabilities, Web Hacking

, , , ,


Latest Posts:


APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.


One Response to Oracle Java Cloud Service Vulnerabilities Publicly Disclosed

  1. scamer April 4, 2014 at 5:38 pm #

    I love ur job n how far canit take me to learn?