Oracle’s Java Cloud Service Susceptible To Attack?  Or is a Competitor Conspiring to Blacken their Eye?


Unsubstantiated research, by a group of researchers have released technical details and attack code for 30 security issues affecting Oracle’s Java Cloud Service. Some of the issues make it possible for attackers to read or modify users’ sensitive data or to execute malicious code, the researchers warned.

Poland-based Security Explorations typically withholds such public airings until after any vulnerabilities have been fixed to prevent them from being exploited maliciously. The researchers broke from that tradition this week after Oracle representatives failed to resolve issues including bypasses of the Java security sandbox, bypasses of Java whitelisting rules, the use of shared WebLogic server administrator passwords, and the availability of plain-text use passwords stored in some systems.

“The company openly admits it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future,” Adam Gowdiak, CEO of Security Explorations said. The security research firm is the same one that has discovered a host of extremely severe vulnerabilities in Oracle’s Java software framework, some of which have been exploited in the wild to surreptitiously install malware on end-user computers.

Oracle unveiled the Java Cloud Service in 2011 and held it up as a way to better compete against

The 30 security issues disclosed by Security Explorations are laid out in PDF papers here and here

Currently no one has investigated this “research company”, who runs it, who founded it, what their motives are, nor to my knowledge has any of their research been validated by an independent third party. At this point it seems they have been focusing entirely on Oracle which leads one to wonder who put them up to this, what their business model is, and why they’re not targeting any other out providers since I guarantee they could find at least the same amount or more exploits for Salesforce or Amazon or Google or IBM Cloud Infrastructures, if they had the “desire” to do so. – JNR

By Jarrett Neil Ridlinghafer 
CTO of the following –
Synapse Synergy Group
Chief Technology Analyst, Author & Consultant
Compass Solutions, LLC
Hadoop Magazine
Cloud Consulting International