Security researchers have released technical details and attack code for 30 security issues affecting Oracle's Java Cloud Service. Some of the issues make it possible for attackers to read or modify users' sensitive data or to execute malicious code, the researchers warned.
Researchers from Polish security firm Security Explorations, who found many Java vulnerabilities in the past, decided to publicly disclose the Java Cloud Service security weaknesses because they weren't satisfied with how Oracle handled their private report.
The Oracle Java Cloud Service supposedly allows customers to run Java applications on WebLogic server clusters in data centers operated by Oracle. The service provides "enterprise security, high availability, and performance for business-critical applications," Oracle says.
According to a disclosure timeline published by Security Explorations, the company notified Oracle of 28 security issues on Jan. 31 and another two issues on Feb. 2.
The company openly admits it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future," Adam Gowdiak, CEO of Security Explorations said.
The nature of the issues identified indicates that the service was not subjected to a thorough security review and penetration test prior to being publicly launched, Gowdiak said. The vulnerabilities also expose a weak understanding of the Java security model and attack techniques by Oracle engineers, he said.