Number:IRCNE2014042144
Date: 2014-04-03
According to “computerworld”, security researchers released technical details and proof-of-concept code for 30 security issues affecting Oracle's Java Cloud Service, some of which could allow attackers to compromise business-critical Java applications deployed on it.
Researchers from Polish security firm Security Explorations, who found many Java vulnerabilities in the past, decided to publicly disclose the Java Cloud Service security weaknesses.
The Oracle Java Cloud Service allows customers to run Java applications on WebLogic server clusters in data centers operated by Oracle. The service provides "enterprise security, high availability, and performance for business-critical applications," Oracle says on its website.
The reported issues include bypasses of the Java security sandbox, bypasses of the Java API whitelisting rules, the use of shared WebLogic server administrator passwords, the availability of security-sensitive plaintext user passwords in Policy Store, the use of outdated Java SE software on the service that was lacking around 150 security fixes, and issues that enable a remote code execution attack against a WebLogic server instance used by other Oracle Java Cloud users.
"We found a way for a given user of Oracle Java Cloud service to gain access to applications and data of another user of the service in the same regional data center," Gowdiak said. "By access we mean the possibility to read and write data, but also execute arbitrary (including malicious) Java code on a target WebLogic server instance hosting other users' applications; all with Weblogic server administrator privileges."
Oracle confirmed the 30 vulnerabilities on Feb. 12, but failed to provide Security Explorations with a monthly report on their status in March, as had been agreed, Gowdiak said.
- 7