Oracle Java Cloud Service - Press Info no. 2
APR 2014

Oracle Java Cloud Service - Press Info no. 2

Security Explorations decided to release technical details and accompanying Proof of Concept codes for security vulnerabilities discovered in the environment of Oracle [1] Java Cloud Service [2].

Two months after the initial report [3], Oracle has not provided information regarding successful resolution of the reported vulnerabilities in their commercial cloud data centers (US1 and EMEA1 respectively).

The company has not provided a monthly status report for the reported vulnerabilities for Mar 2014 (to be received around the 24th of each month).

Instead, a year and a half after the commercial availability of the service, Oracle communicates that it is still working on cloud vulnerability handling policies. Additionally, the company openly admits that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future.

Security Explorations is publishing the following materials in a hope that a valuable perspective on Oracle security and engineering processes could be gained:

  • Oracle Vulnerability Report, Issues #1-28, PDF file, 1087KB (download)
  • Oracle Vulnerability Report, Issues #29-30, PDF file, 210KB (download)
  • Proof of Concept codes and tools, ZIP file, 523KB (download)

Security Explorations encourages all customers of Oracle Java Cloud Service that signed up for the service between Jun 2013 and Jan 2014 in either US1 or EMEA1 commercial data centers to make use of the published materials as a supporting evidence for any refund requests from Oracle filed on the basis of unsatisfactory security level of the services offered.