Unhappy with the way Oracle is handling the patching process, a Polish-based security firm decided to publicly reveal 30 vulnerabilities in Oracle Java Cloud Service.
In late January 2014, Security Explorations found the vulnerabilities and let Oracle know about them.
The vulnerabilities, around half of which can completely break the Java security sandbox, have undergone testing in the US1 and EMEA1 Oracle Java Cloud data centers.
Oracle has proof of concept codes that demonstrate the existence of the vulnerabilities. The company confirmed the existence of all 30 security holes and they’ve promised to provide Security Explorations with status updates on around the 24th of each month.
However, Oracle has failed to keep its promise. The company provided a status update on February 27, saying they developed fixes for 24 of the vulnerabilities.
But the organization failed to provide a status update for March. Moreover, Oracle hasn’t given researchers any information on when the vulnerabilities will end up patched in their commercial cloud data centers.
“This publication is made as a result of unsatisfactory Oracle vulnerability handling process,” Adam Gowdiak, the chief executive of Security Explorations.
Security Explorations is displeased with the fact that after a year and a half of being commercially available, Oracle said it’s still working on vulnerability handling policies for the Java Cloud Service.
“Additionally, the company openly admits that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future,” Gowdiak said.
The researcher said Oracle’s cloud has a number of security holes, including Java security sandbox bypass issues, Java API whitelisting rules bypass flaws, shared WebLogic server admin credentials, plaintext passwords in the Policy Store, and the use of old Java SE software as the base for the service.