According to IDG, “Security researchers released technical details and proof-of-concept code for 30 security issues affecting Oracle’s Java Cloud Service, some of which could allow attackers to compromise business-critical Java applications deployed on it.”

Researchers from Security Explorations, a Polish security firm, publicly disclosed the Java Cloud Service security weaknesses because they weren’t satisfied with how Oracle handled their private report.

“The reported issues include bypasses of the Java security sandbox, bypasses of the Java API whitelisting rules, the use of shared WebLogic server administrator passwords, the availability of security-sensitive plaintext user passwords in Policy Store, the use of outdated Java SE software on the service that was lacking around 150 security fixes, and issues that enable a remote code execution attack against a WebLogic server instance used by other Oracle Java Cloud users.”

I suspect that Oracle is having kittens over this one.  They were a late entry into the cloud computing marketplace, and their big enterprise customer base is sensitive about security issues.  However, providers have to deal with this kind of stuff very quickly and document all aspects of the problem, and the fix.  Ignoring the problem won’t make it go away, and a dismissive attitude won’t bring much customer confidence.