There are 30 security issues with the Oracle Java Cloud Service, with 16 of them capable of having the ability to “completely break the Java security sandbox of a target WebLogic server environment,” researchers said.
“An attacker can further leverage this to gain access to application deployments of other users of Oracle Java Cloud service in the same regional data center,” said Adam Gowdiak, the chief executive of Security Explorations.
Some of these vulnerabilities are independent of each other, while others need to combine together in order to work, he said.
“The vulnerabilities were tested in two Oracle Java Cloud data centers (US1 and EMEA1 respectively). They were verified to be present in ver. 13.1 and 13.2 (most recent) of Oracle Java Cloud Software,” Gowdiak said.
The nature of the security holes identified by researchers shows Oracle hasn’t put too much effort into securing the Java Cloud Service.
“They illustrate known and widely discussed security risks related to Java. They also expose weak understanding of Java security model and attack techniques by Oracle engineers,” he said.
Security Explorations informed Oracle of the findings and provided the company with source and binary codes. Tools that illustrate the vulnerabilities and attack scenarios have also gone out. Gowdiak said they have not heard back from the software giant.
Oracle did confirm receiving the report from Security Explorations and they said they are investigating the issues.