Full Disclosure mailing list archives
[SE-2013-01] Security vulnerabilities in Oracle Java Cloud Service (details)
From: Security Explorations <contact () security-explorations com>
Date: Tue, 01 Apr 2014 10:40:52 +0200
Hello All, Security Explorations decided to release technical details and accompanying Proof of Concept codes for security vulnerabilities discovered in the environment of Oracle [1] Java Cloud Service [2]. All relevant materials can be found at the following location: http://www.security-explorations.com/en/SE-2013-01-details.html This publication is made as a result of unsatisfactory Oracle vulnerability handling process. Two months after the initial report, Oracle has not provided information regarding successful resolution of the reported vulnerabilities in their commercial cloud data centers (US1 and EMEA1 respectively). The company has not provided a monthly status report for the reported vulnerabilities for Mar 2014 (to be received around the 24th of each month). Instead, a year and a half after the commercial availability of the service, Oracle communicates that it is still working on cloud vulnerability handling policies. Additionally, the company openly admits that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future. Oracle production cloud, which has been in the company offering since 2012, did offer the following (among others): - Java Security Sandbox Bypass Issues. This includes both simple instances of widely discussed Reflection API flaws [3] as well as vulnerabilities that exposed rather weak understanding of Java security model and its attack techniques by Oracle engineers, - Java API Whitelisting Rules Bypass Issues (again, primarily due to the Reflection API), - shared WebLogic server administrator credentials (same passwords for all customers in a given regional data center, easy to obtain from the environment configuration), - Plaintext / security sensitive passwords in Policy Store (this includes passwords of users usually associated with administrator privileges in Fusion Middleware software stack), - old Java SE software used as the base for the service (approx. 150 security fixes incorporated into Java SE software since the end of 2012 / beginning of 2013 were missing from the environment). Security Explorations hopes that the publication of SE-2013-01 project details puts a valuable perspective on Oracle security and engineering processes. We take this opportunity to encourage all customers of Oracle Java Cloud Service that signed up for the service between Jun 2012 and Jan 2013 in either US1 or EMEA1 commercial data centers to make use of the published materials as a supporting evidence for any refund requests from Oracle filed on the basis of unsatisfactory security level of the services offered. Thank you. Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References: [1] Oracle Corporation (http://www.oracle.com)[2] Oracle Java Cloud Service (https://cloud.oracle.com/mycloud/f?p=service:java:0) [3] SE-2012-01 Project, Security Vulnerabilities in Java SE (http://www.security-explorations.com/en/SE-2012-01.html)
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- [SE-2013-01] Security vulnerabilities in Oracle Java Cloud Service (details) Security Explorations (Apr 01)
- Re: [SE-2013-01] Security vulnerabilities in Oracle Java Cloud Service (details) Security Explorations (Apr 01)