Polski

SE-2013-01 Frequently Asked Questions

Last update: Apr-17-2014

What's the reason behind evaluating security of Oracle Java Cloud Service ?
Over the recent months, several Oracle executives tried to convince the public that "security problems affecting Java in Internet browsers have generally not impacted Java running on servers" [1], that at Oracle, "every developer is a security rifleman", "trained in security" [2][3] and that company's products are subject to stricter Software Security Assurance Policies and Procedures [4].
Somehow we didn't buy it and decided to investigate security of some other Oracle products. As cloud technology is a hot topic these days and the voices of several Oracle VPs associated with Fusion Middleware and Cloud applications were in particular heard louder, we decided to have a closer look at the security of Oracle's Java Cloud Service.
Did you run a penetration test on Oracle's network ?
Evaluating security of services deployed on a vendor side is different from the usual evaluation we conduct with respect to security of software. For real-life Internet services, configuration issues and architecture choices start to play a significant role and they can never be ignored.
Our goal was to verify security level provided by Oracle Java Cloud Service from the end user (customer) perspective. That required answer to the fundamental question: are user applications and data properly secured in Oracle Java Cloud ? We found that out by a careful combination of both security researcher's and penetration tester's skills.
What weaknesses did you encounter in Oracle Java Cloud ?
There were several categories of them. First of all, we discovered multiple weaknesses that could be used to escape Java security sandbox of a target WebLogic server environment. We developed 9 Proof of Concept codes illustrating that (16 issues in total). We also found problems within the applications validation process and the environment of a WebLogic server itself.
Did you exploit any vulnerabilities in baseline Java SE ?
No. Rather than showing that vulnerabilities in the underlying Java SE platform can influence security of Oracle Java Cloud service, we wanted to signal that other Oracle products are prone to exactly the same violations of company's Secure Coding Guidelines [5] as we did for Java SE [6].
What's the impact of your findings ?
We found a way for a given user of Oracle Java Cloud service to gain access to applications and data of another user of the service in the same regional data center. By access we mean the possibility to read and write data, but also execute arbitrary Java code on a target WebLogic server instance hosting other users' applications. That alone undermines one of key principles of a cloud environment - security and privacy of users data.
Is that all ?
Not really. There were certian attack scenarios and issues reported that we didn't verify in a target Oracle Java Cloud environment. Instead, they were tested in our lab only.
Are all Java Cloud users affected by your findings ?
Our tests were conducted in US1 (Austin, TX) and EMEA1 (UK) Commercial data centers. The discovered weaknesses were confirmed for the identities we established (trial and commercial subscriptions).
How many Oracle Cloud systems could be affected by your findings ?
According to some published data [7], back in 2012 Oracle Cloud was comprised of 300000+ systems (2500 server racks) deployed across 4 data centers. In 2013 and 2014 the number of data centers grew to 5 (US1, US2, EMEA1, EMEA2, APAC). While we cannot provide an exact number of the affected systems, this is certainly a considerable number taking into account that our findings affected 2 of Oracle Cloud data centers.
Was security of Oracle Cloud data centers at risk ?
Taking into account the design and architecture of Oracle Cloud (what we have learned and what was confirmed by [7]), identified vulnerabilities should be completely sufficient to achieve a successful security compromise of a given Oracle regional data center (access to EM console / cloud administrator privileges in a given regional data center).
Which of the reported vulnerabilities were fixed by Apr 2014 CPU ?
This CPU fixes only a remote vulnerability in a WebLogic server software (Issue 26).
Is the WebLogic vulnerability (Issue 26) serious ?
This is the vulnerability that allows to bypass user authentication and gain administrative privileges on a remote instance of a WebLogic server. That alone makes this bug quite serious.
Should the project be treated as complete ?
Definitely not. The specifics of the environment along with legal constraints prohibited us from running all possible tests. The results achieved should be however sufficient for triggering some extra work and more deeper thinking at Oracle regarding configuration, implementation and architecture of its Java Cloud services and security processes in general (QA and penetration testing in particular).

References:

  1. [1] Maintaining the security-worthiness of Java is Oracle's priority
    https://blogs.oracle.com/security/entry/maintaining_the_security_worthiness_of
  2. [2] Oracle Secures Java with 41 Updates, Code Signing
    http://www.esecurityplanet.com/network-security/oracle-secures-java-with-41-updates-code-signing.html
  3. [3] Oracle: We're getting Java security under control
    http://www.infoworld.com/t/java-programming/oracle-were-getting-java-security-under-control-227404
  4. [4] Oracle Software Security Assurance
    http://www.oracle.com/us/support/assurance/overview/index.html
  5. [5] Secure Coding Guidelines for the Java Programming Language, Version 4.0
    http://www.oracle.com/technetwork/java/seccodeguide-139067.html
  6. [6] SE-2012-01 Project, Security Vulnerabilities in Java SE
    http://www.security-explorations.com/en/SE-2012-01.html
  7. [7] Privacy and Security in the Cloud A real experience with current technologies
    https://edu.clusit.it/download1.php?id=74

Copyright 2008-2014 Security Explorations. All Rights Reserved.