In a result of its research investigation efforts, Security Explorations discovered multiple security vulnerabilities in Oracle Java Cloud Service.
This section of our website presents initial information regarding the project that lead to this discovery:
Over the recent months, several Oracle executives tried to convince the public that "security problems affecting Java in Internet browsers have generally not impacted Java running on servers" [1], that at Oracle, "every developer is a security rifleman", "trained in security" [2][3] and that company's products are subject to stricter Software Security Assurance Policies and Procedures [4].
Somehow we didn't buy it and decided to investigate security of some other Oracle products. As cloud technology is a hot topic these days and the voices of several Oracle VPs associated with Fusion Middleware and Cloud applications were in particular heard louder, we decided to have a closer look at the security of Oracle's Java Cloud Service.
Evaluating security of services deployed on a vendor side is different from the usual evaluation we conduct with respect to security of software. For real-life Internet services, configuration issues and architecture choices start to play a significant role and they can never be ignored.
Our goal was to verify security level provided by Oracle Java Cloud Service from the end user (customer) perspective. That required answer to the fundamental question: are user applications and data properly secured in Oracle Java Cloud ? We found that out by a careful combination of both security researcher's and penetration tester's skills.
There were several categories of them. First of all, we discovered multiple weaknesses that could be used to escape Java security sandbox of a target WebLogic server environment. We developed 9 Proof of Concept codes illustrating that (16 issues in total). We also found problems within the applications validation process and the environment of a WebLogic server itself.
No. Rather than showing that vulnerabilities in the underlying Java SE platform can influence security of Oracle Java Cloud service, we wanted to signal that other Oracle products are prone to exactly the same violations of company's Secure Coding Guidelines [5] as we did for Java SE [6].
We found a way for a given user of Oracle Java Cloud service to gain access to applications and data of another user of the service in the same regional data center. By access we mean the possibility to read and write data, but also execute arbitrary Java code on a target WebLogic server instance hosting other users' applications. That alone undermines one of key principles of a cloud environment - security and privacy of users data.
Not really. There were certian attack scenarios and issues reported that we didn't verify in a target Oracle Java Cloud environment. Instead, they were tested in our lab only.
Our tests were conducted in US1 (Austin, TX) and EMEA1 (UK) Commercial data centers. The discovered weaknesses were confirmed for the identities we established (trial and commercial subscriptions).
According to some published data [7], back in 2012 Oracle Cloud was comprised of 300000+ systems (2500 server racks) deployed across 4 data centers. In 2013 and 2014 the number of data centers grew to 5 (US1, US2, EMEA1, EMEA2, APAC). While we cannot provide an exact number of the affected systems, this is certainly a considerable number taking into account that our findings affected 2 of Oracle Cloud data centers.
Taking into account the design and architecture of Oracle Cloud (what we have learned and what was confirmed by [7]), identified vulnerabilities should be completely sufficient to achieve a successful security compromise of a given Oracle regional data center (access to EM console / cloud administrator privileges in a given regional data center).
This CPU fixes only a remote vulnerability in a WebLogic server software (Issue 26).
This is the vulnerability that allows to bypass user authentication and gain administrative privileges on a remote instance of a WebLogic server. That alone makes this bug quite serious.
Definitely not. The specifics of the environment along with legal constraints prohibited us from running all possible tests. The results achieved should be however sufficient for triggering some extra work and more deeper thinking at Oracle regarding configuration, implementation and architecture of its Java Cloud services and security processes in general (QA and penetration testing in particular).
This page presents details of security vulnerabilities and attack techniques discovered as a result of our Oracle Java Cloud Service security research project. These details are provided in a form of original vulnerability reports, accompanying Proof of Concept Codes and tools.
Additionally, the slides for a keynote talk given at JavaLand conference in 2016 are also provided. This talk referred to SE-2013-01 and our other research projects while discussing key problems related to Java platform security, its ecosystem and vendors.
Proof of Concept Codesand tools below are provided purely for educational purposes only. It is expressly forbidden to use them for any purposes that would violate any domestic or international laws. If you do not agree with this policy, please leave this page.
This page presents current status of the communication process with vendors of affected technologies.
