Researchers expose vulnerabilities in Oracle’s Java Cloud Service

A security researcher has published technical details and attack code for dozens of security flaws claimed to affect Oracle’s Java Cloud Service, including some that could allow an attacker to remotely attack apps hosted in its data centers. Security Explorations, a Poland-based company headed up by Java security specialist Adam Gowdiak, has spilled the beans on 30 flaws it says affect customers of Oracle’s Java Cloud at its US and EMEA region datacentres. 

Researchers have released technical details and attack code for 30 security issues affecting Oracle’s Java Cloud Service. Some of the issues make it possible for attackers to read or modify users’ sensitive data or to execute malicious code, the researchers warned. Poland-based Security Explorations typically withholds such public airings until after any vulnerabilities have been fixed to prevent them from being exploited maliciously. The researchers broke from that tradition this week after Oracle representatives failed to resolve issues including bypasses of the Java security sandbox, bypasses of Java whitelisting rules, the use of shared WebLogic server administrator passwords, and the availability of plain-text use passwords stored in some systems.