Oracle’s Java Cloud: 25+ Security Vulnerabilities Found

Just when you thought the public cloud is getting safer, reports have surfaced surrounding the integrity of Oracle’s Java Cloud. Security analysts from Security Explorations, a firm located in Poland, have published the attack code used to compromise the integrity of Oracle’s Java Cloud. These types of publications aren’t meant to be malicious in nature. Liam Tung at ZDNet reports that Oracle was aware of the security issues and the only reason that attack code went public is because Oracle stopped corresponding with Security Explorations’ team of Java security experts. When Security Explorations published the code, they only did so in efforts to more quickly get these lapses in security fixed.

Adam Gowdiak is the leader of Security Explorations. Mr. Gowdiak is known as one of the world’s top experts on Java security. A PDF released on the Security Exploration’s website mentions, “Multiple vulnerabilities exist in Oracle WebLogic Server classes that are visible to user applications (Java Servlets / JSP pages). Most of them are the result of insecure implementation of Java Reflection API. Both, Oracle and 3rd party classes included in user application’s classpath are prone to these issues. Their successful exploitation can easily lead to the full compromise of a Java security sandbox of a target WebLogic server instance.” The report goes on to list each of the attacks in detail.

These attacks allow hackers to have unprecedented access to your Java cloud. The code attacks have been confirmed to function inside of Oracle’s US and EMEA datacenters. Gowdiak also noted that the WebLogic server admin’s password could be stored in plain-text. As of now, Oracle has provided no official response to the Java Cloud vulnerabilities. We expect Oracle’s PR team to be enacting serious damage control measures today. Oracle has a Critical Patch Update for Java due out on April 15th. It is unclear if this patch will specifically focus on the security vulnerabilities found by Gowdiak’s team.