Attack code for Oracle Java Cloud Service published

Oracle Java Cloud Service apps face additional risks after a researcher publishes new vulnerabilities and how to attack them.

A security researcher has published technical details and attack code for dozens of security flaws claimed to affect Oracle's Java Cloud Service, including some that could allow an attacker to remotely attack apps hosted in its data centres.

Security Explorations, a Poland-based company headed up by Java security specialist Adam Gowdiak, has spilled the beans on 30 flaws it says affect customers of Oracle's Java Cloud at its US and EMEA region data centres. 

Read this

Look out, Oracle: SkySQL and MariaDB join forces

Oracle's MySQL may be the most well-known open-source DBMS, but now, MySQL's creators are together again with the merger of MariaDB and SkySQL.

Read More

Gowdiak said he published details of the flaws after Oracle stopped corresponding with him over the issues. According to the researcher, while Oracle said it had developed fixes for 24 of vulnerabilities, the company didn't provide an update on when they would be released.

To turn up the heat on Oracle, Gowdiak also published nine proof-of-concept attack tools for 16 of the flaws relating to an insecure implementation of the Java Reflection API in a WebLogic Server environment.

"Their successful exploitation can easily lead to the full compromise of a Java security sandbox of a target WebLogic server instance," he said.

According to Gowdiak, attackers could use the flaws to access users' applications and execute Java code on their systems.

"An attacker can further leverage this to gain access to application deployments of other users of Oracle Java Cloud service in the same regional data centre. This means both the possibility to access users' applications, their database schemas as well as execute arbitrary Java code on their systems," he said.

"Security Explorations verified that a malicious Java code exploiting a combination of identified vulnerabilities could be executed on a WebLogic server instance of arbitrary users of Oracle Java Cloud Service."

A further four flaws cover several methods that can bypass verification processes, and tools such as whitelisting and antivirus, in Oracle's Java Cloud Software that are used to block unwanted functionality in an application.

Gowdiak details the rest of the flaws here and here, which also include issues related to shared WebLogic server administrator credentials and the use of plaintext and security sensitive passwords in Policy Store.

Also, it would seem Oracle hasn't heeded its own advice in regularly updating Java SE. According to Gowdiak, an outdated Java SE software is employed as a base for Oracle Java Cloud Service (version 13.1) in the US and EMEA data centres. The version of Java SE 6 and 7 in use are missing around 150 updates that Oracle has issued since the end of 2012, according to Gowdiak.  

Gowdiak published a timeline of his correspondence over the bugs with Oracle here, noting Oracle's most recent response from 20 March:

"Oracle informs that the company provides vulnerability information to all customers at the same time and that it does not publish a vulnerability when it is fixed in one release, but not in the other supported releases. The company also informs that it is still working on the cloud vulnerability handling policies. The company will notify Security Explorations when reported vulnerabilities are addressed in US1 and EMEA1 instances, but cannot promise this for future."

Oracle's next Critical Patch Update, which includes patches for Java, is due on 15 April.

ZDNet has asked Oracle for comment and will update the story if it receives one. 

Read more on Oracle