Security Explorations, a security and vulnerability research company from Poland discovered multiple vulnerabilities in the environment of Oracle [1] Java Cloud Service [2].
Among a total of 28 issues found, there are 16 weaknesses that make it possible to completely break Java security sandbox of a target WebLogic server environment. An attacker can further leverage this to gain access to application deployments of other users of Oracle Java Cloud service in the same regional data center. This means both the possibility to access users applications, their database schemas as well as execute arbitrary Java code on their systems. Security Explorations verified that a malicious Java code exploiting a combination of identified vulnerabilities could be executed on a WebLogic server instance of arbitrary users of Oracle Java Cloud Service.
The nature of the weaknesses identified in Oracle's service indicates that it was not a subject of a thorough security review and penetration testing prior to the public offering. They illustrate known and widely discussed security risks related to Java [3]. They also expose weak understanding of Java security model and its attack techniques by Oracle engineers.
On Jan 31 2014, Security Explorations sent a vulnerability notice to Oracle corporation containing detailed information about discovered weaknesses. Along with that, the company was also provided with source and binary codes for Proof of Concept codes and tools illustrating identified security issues and attack scenarios.