14 DAY TRIAL // In late January 2014, Polish security research company Security Explorations revealed the existence of a total of 30 vulnerabilities in Oracle Java Cloud Service. Now, Security Explorations has decided to publish the details of all these flaws because the company is displeased with the way Oracle is handling the patching process.
The vulnerabilities, around half of which can be exploited to completely break the Java security sandbox, have been tested in the US1 and EMEA1 Oracle Java Cloud data centers.
Oracle has been provided with proof of concept codes that demonstrate the existence of the vulnerabilities. The company has confirmed the existence of all 30 security holes and they’ve promised to provide Security Explorations with status updates on around the 24th of each month.
However, Oracle has failed to keep its promise. The company provided a status update on February 27, saying that fixes had been developed for 24 of the vulnerabilities.
But the organization failed to provide a status update for March. Moreover, Oracle hasn’t given researchers any information on when the vulnerabilities might be patched in their commercial cloud data centers.
“This publication is made as a result of unsatisfactory Oracle vulnerability handling process,” Adam Gowdiak, the CEO of Security Explorations told Softpedia via email.
Security Explorations is displeased with the fact that after a year and a half of being commercially available, Oracle says it’s still working on vulnerability handling policies for the Java Cloud Service.
“Additionally, the company openly admits that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future,” Gowdiak noted.
The expert highlights that Oracle’s cloud is plagued by a number of security holes, including Java security sandbox bypass issues, Java API whitelisting rules bypass flaws, shared WebLogic server admin credentials, plaintext passwords in the Policy Store, and the use of old Java SE software as the base for the service.
“We take this opportunity to encourage all customers of Oracle Java Cloud Service that signed up for the service between Jun 2013 and Jan 2014 in either US1 or EMEA1 commercial data centers to make use of the published materials as a supporting evidence for any refund requests from Oracle filed on the basis of unsatisfactory security level of the services offered,” Gowdiak concluded.
Softpedia has reached out to Oracle to see what the company has to say about its buggy vulnerability patching process. This article will be updated if the company responds to our inquiry.
The Oracle Java Cloud Service vulnerability reports are available on Security Explorations’ website.