Vulnerabilities in Oracle Java Cloud Publicly Disclosed


Polish computer security research firm Security Explorations has just disclosed 30 unpatched vulnerabilities affecting the popular PaaS Oracle Java Cloud. Disclosure comes in the form of two detailed reports, which contain proof of concept demonstrations and reveal: 1) weaknesses with the PaaS’s implementation and configuration, 2) opportunities for users to access other users’ applications, and, most importantly, 3) issues that could expose the service platform to attacks from remotely executed code.

The public disclosure comes roughly two months after Security Explorations had initially reported the vulnerabilities to Oracle. Reports indicate that the corporation did acknowledge the research firm’s findings as early as February 12th. Reports also indicate that at the time of that acknowledgement, Oracle also promised a March 24th status report detailing what was being done to resolve the vulnerabilities. As of April 2nd, Security Explorations had yet to see said report. In response, the research firm has issued public disclosure and encouraged Oracle Java Cloud users to demand a refund due to “unsatisfactory security levels.”

Such a disclosure is indeed controversial, as it reveals a number of vulnerabilities to the public at large – a public that includes malicious actors. Issues addressed in the report include:

  • Bypasses of the Java security sandbox
  • Bypasses of whitelisting rules on the Java API
  • Shared server administrator passwords
  • Plain text user password accessibility
  • The use of outdated Java SE software that lacks approximately 150 security fixes
  • The potential for attacks via remote execution of code

For those who use the PaaS, these are all issues that cannot be ignored. But even for the rest of us, the general issue of public disclosure of ANY software vulnerability is still quite relevant, and begs the question:

Is it the right way to do business?

Some would say that public disclosure is in the interest of public (computer) health, and in all cases acceptable. Others would say that it treads too closely to ransom, and that programs like Microsoft’s Bug Bounty, for example, work only to reward malicious behavior. In any event, there is indeed a fine line separating security research firms from malware operations proper, and in most cases it is a line drawn by personal ethics. What is perhaps most interesting about this latest issue with Oracle – a company long known for its less than impenetrable software – is that it highlights the ethical underpinnings of what is viewed by most as a purely technical pursuit. The world of software has its good guys and its bad guys, just as does the non-virtual world.

Exactly who is who in this David v. Goliath instance of Oracle and Security Explorations is perhaps a non-binary issue that can’t quite so easily be resolved; but, it should be interesting to see just how many of the vulnerabilities exposed by Security Explorations are addressed in Oracle’s upcoming update on April 15th.

In the meantime, Emsisoft welcomes all opinions on the matter of software ethics in the comments section below.

Have a Great (Malware (and Vulnerability))-Free Day!