lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <533A7B94.4040901@security-explorations.com>
Date: Tue, 01 Apr 2014 10:40:52 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] [SE-2013-01] Security vulnerabilities in Oracle Java Cloud
 Service (details)


Hello All,

Security Explorations decided to release technical details and
accompanying Proof of Concept codes for security vulnerabilities
discovered in the environment of Oracle [1] Java Cloud Service
[2]. All relevant materials can be found at the following location:

http://www.security-explorations.com/en/SE-2013-01-details.html

This publication is made as a result of unsatisfactory Oracle
vulnerability handling process.

Two months after the initial report, Oracle has not provided
information regarding successful resolution of the reported
vulnerabilities in their commercial cloud data centers (US1 and
EMEA1 respectively).

The company has not provided a monthly status report for the
reported vulnerabilities for Mar 2014 (to be received around the
24th of each month).

Instead, a year and a half after the commercial availability of
the service, Oracle communicates that it is still working on cloud
vulnerability handling policies. Additionally, the company openly
admits that it cannot promise whether it will be communicating
resolution of security vulnerabilities affecting their cloud data
centers in the future.

Oracle production cloud, which has been in the company offering
since 2012, did offer the following (among others):
- Java Security Sandbox Bypass Issues. This includes both simple
   instances of widely discussed Reflection API flaws [3] as well
   as vulnerabilities that exposed rather weak understanding of Java
   security model and its attack techniques by Oracle engineers,
- Java API Whitelisting Rules Bypass Issues (again, primarily due
   to the Reflection API),
- shared WebLogic server administrator credentials (same passwords
   for all customers in a given regional data center, easy to obtain
   from the environment configuration),
- Plaintext / security sensitive passwords in Policy Store (this
   includes passwords of users usually associated with administrator
   privileges in Fusion Middleware software stack),
- old Java SE software used as the base for the service (approx. 150
   security fixes incorporated into Java SE software since the end of
   2012 / beginning of 2013 were missing from the environment).

Security Explorations hopes that the publication of SE-2013-01 project
details puts a valuable perspective on Oracle security and engineering
processes.

We take this opportunity to encourage all customers of Oracle Java Cloud
Service that signed up for the service between Jun 2012 and Jan 2013 in
either US1 or EMEA1 commercial data centers to make use of the published
materials as a supporting evidence for any refund requests from Oracle
filed on the basis of unsatisfactory security level of the services offered.

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] Oracle Corporation (http://www.oracle.com)
[2] Oracle Java Cloud Service 
(https://cloud.oracle.com/mycloud/f?p=service:java:0)
[3] SE-2012-01 Project, Security Vulnerabilities in Java SE 
(http://www.security-explorations.com/en/SE-2012-01.html)



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ