The company has shared their knowledge about the vulnerabilities and the PoC code with Oracle in late January and early February, and the company has confirmed that they have received the reports. By the end of February, Oracle has provided a monthly status report for the reported issues, and has informed the researchers that "fixes for 24 issues have been developed", and that "the remaining 6 issues are under investigation/being fixed in main codeline."
The researchers were particularly worried about the US1 and EMEA1 data centers, and asked Oracle to notify them when all the vulnerabilities are patched. Since that has yet to happen, Security Explorations decided they have given Oracle enough time to fix the issues, and to go public with the discoveries.
"Two months after the initial report, Oracle has not provided information regarding successful resolution of the reported vulnerabilities in their commercial cloud data centers," they noted.
"Instead, a year and a half after the commercial availability of the service, Oracle communicates that it is still working on cloud vulnerability handling policies. Additionally, the company openly admits that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future."
"Among a total of 28 issues found, there are 16 weaknesses that make it possible to completely break Java security sandbox of a target WebLogic server environment. An attacker can further leverage this to gain access to application deployments of other users of Oracle Java Cloud service in the same regional data center. This means both the possibility to access users applications, their database schemas as well as execute arbitrary Java code on their systems," they shared, and pointed out that the nature of the weaknesses identified in Oracle's service indicates that it was not a subject of a thorough security review and penetration testing prior to the public offering.
More information about their research methodology can be found in this FAQ.
The company has also said that all customers of Oracle Java Cloud Service that signed up for the service between Jun 2013 and Jan 2014 in either US1 or EMEA1 commercial data centers could freely use their materials to "support refund requests from Oracle filed on the basis of unsatisfactory security level of the services offered."