Security have disclosed the presence of some thirty critical vulnerabilities they discovered in the Oracle Java Cloud Service, having released reports that detail each along with proof-of-concept code for exploiting the platforms flaws which include the ability for attackers to execute malicious code and read or modify user data.
The researchers notified Oracle of the vulnerabilities and provided details of their findings in January, and Oracle acknowledged the problems and indicated that fixes were in the works. Due to the fact that no resolutions have been provied as of yet, the researchers decided to go public with their findings in an effort to spur Oracle into acting on the vulnerabilities.
“Two months after the initial report, Oracle has not provided information regarding successful resolution of the reported vulnerabilities in their commercial cloud data centers. The company has not provided a monthly status report for the reported vulnerabilities for Mar 2014 (to be received around the 24th of each month),” the researchers stated.
“Instead, a year and a half after the commercial availability of the service, Oracle communicates that it is still working on cloud vulnerability handling policies. Additionally, the company openly admits that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future.”
The researchers also said they believe that the platform was not subject to a rigorous security review before it went live, basing their opinion on the class and variety of vulnerabilities identified.
“Among a total of 28 issues found, there are 16 weaknesses that make it possible to completely break Java security sandbox of a target WebLogic server environment. An attacker can further leverage this to gain access to application deployments of other users of Oracle Java Cloud service in the same regional data center. This means both the possibility to access users applications, their database schemas as well as execute arbitrary Java code on their systems,” the researchers noted.
The team published an FAQ on the vulnerabilities, as well as two PDF reports (here and here) detailing their findings.